SmartDesign Network Primer

Smart Designs
Networking Primer for Small Businesses

November, 2009
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Networking Primer for Small Businesses 2009 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
ix ix ix x x xii
Overview Audience
Organization
Related Documentation
Obtaining Documentation, Obtaining Support, and Security Guidelines

1
CHAPTER
Overview
1-1 1-1 1-3
Computer Networks and their Advantages Computer Network for a Small Business
Business Locations of a Small Business Network

1-5
Small Business Network Architecture and Components

2
1-6
CHAPTER
Data Communication in a Computer Network Data Representation and Transfer

2-1
2-1
OSI Model of Data Communication 2-3 Overview 2-3 OSI Model Layers 2-3 Layer 1Physical Layer 2-4 Layer 2Data Link Layer 2-5 Layer 3Network Layer 2-5 Layer 4Transport layer 2-5 Layer 5Session Layer 2-6 Layer 6Presentation Layer 2-6 Layer 7Application Layer 2-6
3
CHAPTER
TCP/IP Protocol Suite
3-1 3-1
Comparing the OSI Model and the TCP/IP Protocol Suite TCP/IP Physical and Data Link Layers 3-3 Local Area Network Technology (Layer 1 and 2) Ethernet Physical Layer (Layer 1) 3-4 Ethernet Data Link Layer (Layer 2) 3-4
3-3
Network Primer for Small Businesses
iii
Contents
CSMA/CD Technology 3-5 LAN Transmission Methods 3-5 LAN Topologies and Components 3-6 Ethernet Switch and Its Functions 3-6 Virtual LANs 3-7 Switch Port Modes 3-8 Spanning Tree Protocol 3-9 Rapid Spanning Tree Protocol 3-10 TCP/IP Network Layer 3-11 IP Version 4 and IP Version 6 IP Packet 3-11 Data Transfer in IP Networks 3-12 IP Address Classes 3-13 Private IP Addresses 3-14 Network Masks 3-15 IP Subnetting 3-15 TCP/IP Transport Layer
4
3-16 3-11
CHAPTER
Protocols and Features Used in a TCP/IP Network Routing and Routing Protocols Static Routing 4-2 Dynamic Routing 4-2 Address Resolution Protocol Dynamic Host Control Protocol Domain Name System Dynamic DNS
4-6 4-5 4-1
4-1
4-3 4-4
CHAPTER
Network Architecture for a Small Business Small Business Network Topology Local Area Network 5-2 Wide Area Network 5-3
5-1
5-1
Ethernet Switches 5-4 Ethernet Interface Types and Operating Modes IP Multicast and IGMP Snooping 5-5 Managed and Unmanaged Switches 5-5 Layer 3 Switching 5-5 Power over Ethernet 5-6 Quality of Service in a Switch 5-6
5-4
iv
Contents
LAN High Availability 5-7 Switch Stack 5-7 Link Aggregation (EtherChannel) 5-7 Switch Security 5-7 Port Security 5-8 BPDU Guard 5-8 Storm Control 5-8 Port-Based Network Access Control (802.1x) WAN Routers 5-9 WAN Router with Integrated Switch 5-9 WAN Interface and Connection Types 5-10 Router DHCP Server 5-10 Router Authentication Server 5-10 WAN Router Security 5-11 Intrusion Prevention System 5-11 Guest Access 5-11 Spam Blocking 5-11 URL Filtering 5-11 Content Filtering 5-12 WAN Router Quality of Service 5-12 WAN Router High Availability 5-12 Redundant WAN Links 5-12 Link Aggregation 5-12 Hot Standby Router Protocol 5-13 Network Address Translation 5-13 Why NAT? 5-13 How NAT Works 5-14 Port Address Translation 5-16 Static NAT 5-16 NAT Inside the Payload 5-16 Network Management 5-17 Web-Based Management Tools 5-17 Command-Line Interface 5-17 Simple Network Management Protocol 5-18 WAN Router Universal Plug and Play 5-18 Other Management Tools 5-18
6
5-9
CHAPTER
IP Telephony Infrastructure Voice-Specific VLAN

6-1
6-1
Contents
Power over Ethernet
6-1 6-1 6-3
Quality of Service for IP Telephony Unified Communication Management

7
CHAPTER
Infrastructure Requirement for Wireless LAN Overview

7-1
7-1
Wireless Devices 7-1 Wireless Access Point 7-1 Wireless LAN Controller 7-2 Separate VLANs for Wireless Traffic Quality of Service
7-2 7-2
WLAN Security 7-3 Authentication 7-3 Data Encryption 7-3

A
APPENDIX
Quality of Service Overview

A-1
A-1
Traffic Classification Traffic Marking Traffic Policing Traffic Shaping Queuing

A-5 A-6 A-3 A-4 A-4
A-2
QoS in a Switch
QoS in a WAN Router
A-6
Advanced QoS A-7 Hierarchical Queuing A-7 Weighted Random Early Detection
B
A-7
APPENDIX
Network Security
B-1 B-1
Infrastructure Protection
Firewall Policy Enforcement B-2 Firewall Policies for Internet Access Firewall Policies for the DMZ B-4 Additional Firewall Zones B-5 Enhanced Stateful Packet Inspection Mitigating DoS Attacks
B-4
B-5 B-6
Allowing Specific Traffic Types through the Firewall

B-7
vi
Contents
APPENDIX
Virtual Private Network (VPN) for Secure Connectivity Overview

C-1
C-1
Basic Cryptographic Procedures C-2 Preshared Key C-2 RSA C-2 Cryptographic Hash Function C-2 Hash-Based Message Authentication Code X.509 Digital Certificate C-3 Diffie-Hellman Key Exchange C-3 Encryption C-4 IPSec Technology
C-4
C-3
Virtual Private Network for Small Businesses C-7 IP Sec Site-to-Site VPN for Remote Office C-7 IPSec Remote Access VPN for Home Office and Mobile Workers SSL VPN for Mobile Worker C-7
INDEX
C-7
vii
Preface
This preface contains the following sections:

Overview, page ix Audience, page ix Organization, page x Related Documentation, page x Obtaining Documentation, Obtaining Support, and Security Guidelines, page xii
Overview
This network primer is intended for anyone who wants to get a basic understanding of computer networks, particularly the kind of networks that are most useful for small businesses. This document is written for anyone who wants a basic understanding of networking technologies, devices, their important features, and their impact on a small business network. No prior knowledge of computer network technology is required. As more and more business functions within a small business are computerized, the quality of the computer network affects the business more than ever before. This primer describes the networking technology required to meet the needs of small businesses, especially in regard to the following business considerations:

Secure connectivity Investment protection using a layered architecture
Audience
This document is written for junior technical personnel, or as a refresher in the basics of networking for networking administrators, designers, or implementation engineers. Although this document is highly recommended, it may not be required for experienced technical personnel who are already familiar with networking technology.
ix
Organization
The following table summarizes how this document is organized and the purpose of each chapter and appendix: Chapter Chapter 1: Overview Purpose This chapter provides an introduction to the document, defining the goals a small business typically seeks to achieve through computer networking, and defining basic terms and concepts used throughout the document.
Chapter 2: Data Communication This chapter introduces general data communication concepts such in a Computer Network as binary data representation for data storage and transfer, IP addressing, subnets, and OSI layers. This chapter can be skipped if the reader is already familiar with these concepts. Chapter 3: TCP/IP Protocol Suite This chapter describes the TCP/IP protocol suite, which is the standard for implementation and deployment of computer networks worldwide.
Chapter 4: Other Protocols Used This chapter describes the most important of the various other in a TCP/IP Network protocols that are commonly used in the TCP/IP network. Chapter 5: Small Business Network Architecture This chapter describes a small business network architecture in terms of the network components such as switches and routers, their connections, and their roles. In addition, it provides details of some of their functionality that are important for a small business network. This chapter describes specific aspects of the network infrastructure required for implementation of IP telephony including VLAN and QoS. A complete description of IP telephony design is outside the scope of this document. This chapter provides a short description of the wired infrastructure required for implementing a wireless LAN (WLAN). A complete description of wireless LAN implementation is outside the scope of this document. This appendix provides a further discussion of quality of service (QoS) concepts and mechanisms. This appendix describes network security, which is critical to protect a business and its resources from various threats, such as viruses, worms, and denial-of-service (DoS) attacks. The security of sensitive data transmitted between employees of a business over a shared public network, such as the Internet, is critical to the business. This appendix describes Virtual Private Network (VPN) technology, which can help ensure data security.
Chapter 6: IP Telephony Infrastructure
Chapter 7: Wireless LAN Infrastructure
Appendix A: Quality of Service Appendix B: Network Security
Appendix C: Virtual Private Networks for Secure Connectivity
Related Documentation
Figure 1 illustrates the relationship between the various documents available for deploying network implementations based on the recommended architecture:
Figure 1
Related SNF Documentation
This document
Network Primer for Small Businesses Introduction to Networking Concepts
Design Guide For technical decision makers / network designers / network implementers
Smart network design and implementations are described in the following series of task-oriented documents, each with a specific purpose: Network Primer for Small Businesses (this document) Presents an introduction to basic networking concepts for junior technical personnel, or as a refresher in the basics of networking for networking administrators, designers, or implementation engineers. Although this document is highly recommended, it may not be required for experienced technical personnel who are already familiar with networking technology. Network Design GuidesDescribe a network design suitable for small businesses, including several typical variations in network topology and supported functionality. This document is primarily written for network designers, senior technical personnel, and network implementation engineers. This document assumes that the reader is already familiar with basic networking concepts, as described in the Network Primer for Small Businesses. Implementation GuidesProvide guidance for a full or partial implementation of the design using specific hardware. Several implementation guides are available for use with the SNF Network Design Guide. For example, one implementation guide focuses on providing basic network functionality, such as Internet access, using a specific Cisco ISR router. A different implementation guide, which may use a different router, describes how to add support for hosted Internet servers, such as web or e-mail servers. Application NotesDescribe how to add a specific service, such as a site-to-site VPN or an Intrusion Prevention System (IPS), to the basic implementation. Ordering GuidesDescribe the specific hardware and software required to deploy a network using the appropriate implementation guide.
Note
For a complete list of SNF documents, see the following website: http://www.cisco.com/go/partner/smartdesigns
213088
Implementation Guide For network implementers (network designers)
Solution Bill of Materials For network implementers (network designers)
Application Note For network implementers (network designers)
Application Note For network implementers (network designers)
xi
Obtaining Documentation, Obtaining Support, and Security Guidelines

For information on obtaining documentation, obtaining support, providing documentation feedback, security guidelines, and also recommended aliases and general Cisco documents, see the monthly Whats New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html
xii
CH A P T E R
Overview
This chapter provides an introduction to the document, identifies the goals a small business typically seeks to achieve through computer networking, and defines basic terms and concepts used throughout the document. It includes the following sections:

Computer Networks and their Advantages, page 1-1 Business Locations of a Small Business Network, page 1-3 Computer Network for a Small Business, page 1-5 Small Business Network Architecture and Components, page 1-6
Computer Networks and their Advantages

A computer network is an interconnected collection of network devices that allow information to be shared between computers and other end-user devices attached to the network. The list of end-user devices that can be attached to a computer network is constantly growing, but includes:

PCs and laptops IP phones Video cameras Data center computers running various business applications Printers FAX machines Point-of-sale equipment Data storage devices
Deployment of computer networks has evolved to a stage where it is now treated as an essential part of a business infrastructure. Computer networks help businesses to be competitive and profitable by providing quick and efficient information collection, storage, retrieval, analysis, and sharing, as described below. Improved employee collaborationThe network helps employees retrieve and share information and ideas easily, at electronic speed. Ubiquitous e-mail applications, messaging applications, and social networking over the Internet are possible due to computer networks. Computer networking helps an employee check the availability of other employees, and set up web-based meetings with participants dispersed over a wide area. Advanced collaboration tools such as audio and video conferencing, and real-time file sharing save time and money.
1-1
Chapter 1 Computer Networks and their Advantages
Overview
Improved business process efficiencyA computer network can help streamline business processes and make them more efficient. Any information recorded by a business process can be automatically available to other business processes instantly through the network, which greatly improves efficiency. The network also improves business process accuracy by preventing the duplication of information. A single copy of the information can be shared over the network, which helps ensure consistency among all the business applications that use the data. Improved collaboration with business partnersBusiness partners can complete transactions with a small business over the computer network, which improves collaboration and efficiency. Applications, such as web-based multimedia conferencing, e-mail, and messaging, supplement various business-specific collaboration applications to simplify interbusiness collaboration. Improved customer relationCustomers can communicate efficiently over the Internet to complete transactions, get business information, and provide feedback. Internet-based interaction with customers is an important service provided by a business that saves time and money for both the business and the customers. Resource sharingThe network can reduce cost by sharing office resources over the network. For example, resources such as printers and network storage devices can be shared among groups of employees. Similarly, computer software cost may be reduced by installing a single copy of the software on a server. This software can then be used remotely over the network by various users, as allowed by the terms of the software license agreement. This can reduce the direct software cost as well as cost of installation and administration. Also, the network allows standardization of a single software version, which minimizes software compatibility issues. A computer network allows an administrator to administer all computers from a single location, without having to be physically present near each individual computer. Secure management of sensitive informationA properly designed computer network helps control access to network resources and information. Worldwide, instantaneous access to informationA small business can disseminate business information globally simply by including it in its web pages. This is one of the simplest ways to advertise services and distribute business information to locations throughout the entire world.
1-2
Chapter 1
Overview Business Locations of a Small Business Network
Business Locations of a Small Business Network

Most small businesses start out with a single office location, as shown in Figure 1-1. The computer network for such a small business typically connects the PCs/laptops, servers, and other sharable devices, such as printers and network storage devices. In addition, the network allows users to share access to the Internet over a broadband connection, such as a DSL link or a leased line.
Figure 1-1 Network for a Small Business with a Single Office Location
Internet
Small business with internet access
Broadband or WAN connection to internet
IP IP IP IP
As business demands grow, the network may be expanded through secure connectivity with remote offices, home offices, and mobile workers, as shown in Figure 1-2. The various types of small business office locations in this expanded network are described below. Main OfficeThe primary location containing most the shared data and networking resources, such as files, databases, business servers, web servers, and e-mail servers. Typically, the main office is also the primary business location. If a small business has a single location, that location is its main office. Remote OfficeA satellite business location connected to the main office either using a leased line (WAN), or over the Internet.

A remote office typically has a smaller number of employees, compared to the main office. The remote office network has a WAN router and additional network devices such switches. It is atypical for remote offices to host web services, or any other services accessible to the public Internet. Such services, when deployed, are typically located at the main office. A remote office is typically connected to the Internet and other locations with a broadband link or a leased line.
213055
1-3
Chapter 1 Business Locations of a Small Business Network
Overview
Figure 1-2
Small Business Network
Via WAN or internet Remote office

IP IP
Main office WAN / Internet
Via internet
IP IP IP IP
Home office
IP
Home OfficeA home office is a residential location from which the employee can conduct business activities by securely connecting to the main office or remote office.

A home office network has a WAN router. It may also have additional network devices, such as switches. Devices that can be attached to the home office network include PCs, laptops, and IP telephones. Home offices typically use broadband links for Internet access and connections with other offices.
Mobile WorkerA mobile worker securely accesses the office network through the Internet by establishing a virtual private network (VPN) connection from a laptop. To gain Internet access, a mobile worker may use any available public or private network offering such access, such as those available at airports, hotels, and public Wi-Fi spots, or an employee residence.

A mobile worker does not need to have any network equipment, such as a router or a switch. A mobile worker does not have a permanent connection to the office network. The mobile worker typically establishes a VPN connection to the office network as needed. A mobile worker typically travels only with a laptop, and does not use an IP telephone. However, the mobile worker can use a softphone, which is software installed on a laptop or other computer that simulates an IP phone. Some small businesses may treat contractors as mobile workers, which allows restricting access to network resources.
1-4
213056
Mobile worker (either on road, or at home)
Via internet
Chapter 1
Overview Computer Network for a Small Business
The key difference between a home office and a mobile worker is that the home office has a permanent VPN connection between the home office router and the main office. The mobile worker establishes a VPN connection as needed directly between a laptop and the main office.
Computer Network for a Small Business

The structure and facilities provided by a computer network for large enterprises can be very complex. However, the small business network should provide the network functionality required by the small business in the simplest way to minimize administrative and other costs. The small business network can start small, providing the essential subset of the following functionality, but be designed to add functionality as it is required:

Access to the Internet. Employee communication using applications such as e-mail and messaging. Running or interoperating with business-specific applications, such as order entry, order processing, and financial applications. Secure access by authorized employees to sensitive company resources, such as business data, payroll information, and so forth. Business partner collaboration over the Internet. Public access to general company resources, such as the company website and ordering site. IP telephony, which offers more cost-effective and flexible telephony options. Data storage and sharing using Network Attached Storage (NAS) devices. Video applications, such as video surveillance. Wireless network access integrated with the wired computer network to provide employee mobility within the office. Unified communication and collaboration applications, including audio, video, and other media. Unified communication allows employees, business partners, and customers to collaborate with a combination of voice, video, and data applications from an office or remote locations, such as airports, hotels, warehouses, or vehicles using wired or wireless connections. Without unified communication, employees must master a variety of tools to communicate effectively over the network. Cisco Unified Communications integrates applications to provide simple, and even one-click access to a variety of applications. Examples include a directory lookup application that automatically launches other applications such as a one-click telephone call or messaging, or a messaging application that launches a conferencing application.
Secure connectivity for remote offices, home office, and mobile workers using VPNs.
A network for a small business, whether it provides basic Internet access or offers more sophisticated audio and video services, must maintain some essential characteristics:

Low cost Simple deployment Minimal administrative overhead
1-5
Chapter 1 Small Business Network Architecture and Components
Overview
Small Business Network Architecture and Components

Before describing specific network technologies, it is helpful to know the basic components of the kind of network that is required by a small business. Figure 1-3 shows the major components of a small business network, which include the following:

LAN WAN Shared devices and servers Public switched telephone network (PSTN) connection (optional)
Figure 1-3 illustrates two network topologies that are suitable for most small businesses, and which form the basis for most of the discussions in this document.
Figure 1-3 Small Business Network Components
To internet or Wide Area Network (WAN)
To internet or Wide Area Network (WAN)
PSTN
WAN router LAN switch Local Area Network
WAN router LAN switch Local Area Network LAN switches
Publicly accessible servers Shared devices and servers
PC / laptops
IP
IP
IP
IP phones
Small business network with IP telephones and servers
The simplest small business network, shown on the left side of the figure, provides Internet access to network users. It assumes that applications such as e-mail and messaging services are provided by the Internet Service Provider (ISP). The network illustrated on the right side of the figure shows a more sophisticated network, which can provide local services, such as IP telephony, and host local servers, such as web servers, e-mail servers, and other servers as required by the network infrastructure, such as an IP telephony server. The components of a small business network have the following functions: Local area network (LAN)Interconnects all local devices, such as PCs, laptops, IP telephones, business servers, shared printers, shared storage devices, and video surveillance cameras.
The main networking device used within a LAN is known as a switch. Although there are various types of switches, the small office network LAN uses a switch with Ethernet technology for data communication (for further information, see the Ethernet Switch and Its Functions section on page 3-6).
1-6
213057
Basic small business network
Chapter 1
Overview Small Business Network Architecture and Components
A LAN allows connected devices to communicate at high speeds, such as 10, 100, or 1000 megabits per second (Mbps). This allows for fast communication among employees, and easy access to business servers and other shared resources, such as printers and storage devices. All end-user devices such as PCs, laptops, IP telephones, printers, scanners, and business-specific devices (such as weighing machines and cash registers) are attached to the LAN. A LAN imposes a limit on how far apart the connected devices can be. This usually means that the boundary of a LAN should lie within a building or at most be limited to few adjacent buildings. Most small business offices do not extend beyond a couple of buildings. Therefore, it is typical for a small business network to have a single LAN.
Wireless LANA wireless LAN connects multiple wireless-enabled devices, such as laptops and wireless IP phones to the wired LAN. A wireless LAN uses specialized devices, such as a Wireless Access Point (AP) and a Wireless LAN Controller. This document focuses on wired LAN technology. However, Chapter 7, Infrastructure Requirement for Wireless LAN does discuss the wired infrastructure requirements for deploying a wireless LAN. Wide area networkA WAN interconnects devices that are distributed geographically. In a small business network, the devices within each office location are connected by a LAN, and the WAN is used to interconnect the various LANs. As shown in Figure 1-3, the router WAN interface is connected to the Internet or directly to another business location over a WAN that is owned and operated by a service provider.

A small business network uses the WAN to connect to the Internet, remote offices, home offices, and mobile workers. The basic networking device used in the WAN is called a router. A router may provide additional capabilities related to advanced security and voice, and so may also function as a security appliance or a unified communication device. A WAN may use many technologies for data communication. These include, but are not limited to, the following:

Ethernet ADSL G. SHDSL ISDN 3G wireless DSL over ISDN ATM Frame Relay PSTN Leased lineA leased line is a private high-performance circuit leased from a service provider that can be used to connect directly to another location (private WAN link). Internet connectionInternet access can be provided over cable or telephone wires using broadband technologies such as DSL or ISDN. Internet access can also be provided by other technologies, such as T1/E1 links. Internet access is not dedicated to a single destination, and can be used for data communication with any other site or user connected to the Internet.
A service provider provides two types of WAN connections:

The main differences between these two WAN connection types are summarized in Table 1-1.
1-7
Overview
Both leased line and Internet connections are useful for small businesses. Leased lines are more expensive, but they provide guaranteed bandwidth with low data loss and jitter and therefore are better for business-class voice and video. Typically, Internet connections do not offer any minimum bandwidth guarantee, and can drop packets. Internet connections are sufficient if Internet access is the only service supported, or if best effort voice and video is acceptable. Public switched telephone network (PSTN) ConnectionA small business typically uses the PSTN in parallel with its IP telephone network to connect with telephones outside the IP telephony network. Application serversServers are computers that run various business applications, such as web servers, e-mail servers, and computers that run business-specific applications. These use the network infrastructure for data communication. Some of these servers, such as those hosting the small business website, are accessible from the public Internet. Network infrastructure serversNetwork infrastructure servers run applications that let the network run properly, such as authentication (RADIUS) servers, servers that dynamically assign IP addresses to other devices (DHCP), servers that control IP telephone calls (such as Cisco Unified Communications Manager), and servers that map device IP addresses with domain names (DNS server).
Note
Simplifying the small business network reduces the number of devices and the amount of administrative overhead. Some WAN routers can help by integrating the function of one or more network infrastructure servers, so that a separate server is not required. The network also connects other shared devices accessible to multiple users, such as network attached storage (NAS) devices, print servers, fax machines, and video surveillance cameras.
Table 1-1 WAN Connection Types
Private WAN Link Who provides the service? Destination of traffic Service provider
Internet Access Internet service provider (ISP) Traffic can be directed to any location connected to the Internet xDSL, Cable, T1/E1, T3/E3, DS3, ISDN, Ethernet
Remark The same provider can provide both types of WAN connection
Dedicated connection between predetermined sites T1/E1, T3/E3, DS3, Frame Relay, Ethernet
Network link type
Other WAN technologies, such as ATM, are not typically used by small businesses
Data security
Secure to a large extent Not secure, unless used Private WAN links with VPN or other types (leased line) are secure of encryption to the extent that data is isolated from other leased lines, but data is not encrypted Typically guaranteed bandwidth, with low data loss Typically no end-to-end guarantee on bandwidth or data loss
Service quality
1-8
Chapter 1
Overview Small Business Network Architecture and Components
Table 1-1
WAN Connection Types (continued)
Private WAN Link Cost Higher
Internet Access Lower
Remark Cost depends on several factors, such as speed, maximum delay, reliability, repair time, and so forth Internet is a best effort network, meaning that packets can get lost or delayed. As a result, only best effort voice and video is possible.
Application suitability
Business quality voice, video
Internet access, best effort voice and video
1-9
Overview
1-10
CH A P T E R
Data Communication in a Computer Network

This chapter introduces general data communication concepts such as binary data representation for data storage and transfer, and OSI layers. This chapter can be skipped if the reader is already familiar with these concepts. This chapter includes the following sections:

Data Representation and Transfer, page 2-1 OSI Model of Data Communication, page 2-3
Data Representation and Transfer

A digital computer is an electronic device that stores and transfers data as a collection of binary digits (bits). There are exactly two binary digits: 0 and 1. Why not more than two digits? It is because it is easy to build electronic circuits that work with just two positions, on and off. A byte, which consists of 8 bits, is the basic unit of computer memory. When information is stored in a computer, it is converted (encoded) into a series of 0s and 1s and then stored as a series of bytes. When information is retrieved, the encoded information is decoded and presented on a screen, or printed on paper or other media, as required. When a computer sends information to another computer, it sends the bytes as a sequence of 0s and 1s, encoded in an electrical, optical, or radio signal transmitted over whatever physical media connects the two computers. In common usage, we often use the words information and data interchangeably. However, in technical terms, data is information that has been encoded by a computer. A computer encodes information into data, and it can then process, store, or transmit the data. A computer may use different encoding schemes for different types of information such as numbers, pictures, and textual information. Figure 2-1 shows an example of information (the word hello) encoded using the American Standard Code for Information Interchange (ASCII). ASCII specifies eight-bit binary digits for alphabets and other printable letters, and reserves certain codes for special purposes such as the carriage return in a printer or on a display device, or to create a sound in an audio output device. All the encoded alphabets, digits, and special characters are together called the characters.
2-1
Chapter 2 Data Representation and Transfer
Figure 2-1
Hello Encoded as Binary Data (Bits and Bytes)

H 72 01001000 E 69 01000101 L 76 01001100 L 76 01001100 O 79 01001111
Text ASCII code in decimal ASCII code in binary
Byte 1
Byte 2
Byte 3
Byte 4
Byte 5
As Figure 2-1 shows, the ASCII character H is encoded as the decimal number 72. The decimal number 72 is equivalent to the binary number 01001000. Often, hexadecimal numbers (numbers with a base of 16) are used as a concise way to represent binary numbers. The digits from 10 to 15 are represented by the letters A to F. A 4-digit group of binary numbers can be represented by a single hexadecimal number from 0 to F. To convert a binary number to a hexadecimal number, you divide the binary number into 4-digit groups and then assign a hexadecimal number to each group. For example, the AXCII character H has a binary value of 01001000 and a hexadecimal value of 48, calculated as follows:

01001000 has two 4-digit groups: 0100 and 1000 binary 0100 = hexadecimal 4 binary 1000 = hexadecimal 8
As Figure 2-1 shows, the entire word HELLO is represented in hexadecimal as 48 69 4C 4C 4F. In addition to ACSII, other encoding schemes exist such as Extended Binary Coded Decimal Interchange Code (EBCDIC), which is a similar system of encoding information as binary data, but which assigns different letters to the same binary digits. When a computer sends data bytes over an electrical cable, the source computer network interface converts the bits into the appropriate energy signals. If an optical cable is used, the bits are converted into the appropriate optical signals. A wireless interface converts the bits into electromagnetic waves. The destination device receives the signals and converts them into the original binary digits and the corresponding data bytes.
2-2
213058
ASCII code in hexadecimal
Chapter 2
Data Communication in a Computer Network OSI Model of Data Communication
OSI Model of Data Communication

This section describes the Open System Interconnection (OSI) model and includes the following topics:

Overview, page 2-3 OSI Model Layers, page 2-3 Layer 1Physical Layer, page 2-4 Layer 2Data Link Layer, page 2-5 Layer 3Network Layer, page 2-5 Layer 4Transport layer, page 2-5 Layer 5Session Layer, page 2-6 Layer 6Presentation Layer, page 2-6 Layer 7Application Layer, page 2-6
Overview
The OSI reference model is a network architectural model for data communications developed by the International Standards Organization (ISO) and the Telecommunication Standardization Sector (ITU-T). The OSI model divides the data communication process into seven separate groups of functions called layers. The seven layers of the OSI model address various functions, including the following:

How to identify a network device or end node (addressing) How to control the rate of data transfer between the source and destination so that a fast sender does not send more traffic than the receiver can handle (flow control) How to identify transmission errors and recover from them What additional information to send along with the data (encapsulating the data) to help the network devices to forward the traffic How to transfer messages reliably
The OSI model is a great way to learn the intricacies of data communication, conduct academic research, and to provide a consistent set of terms to help disseminate technical information. However, it is rarely implemented in actual network devices today. The TCP/IP protocol suite, described in Chapter 3, TCP/IP Protocol Suite, is the protocol stack that is actually used in data networks today. It has a similar, but simpler, architectural model, providing only five layers of networking functions.
OSI Model Layers

Each of the seven layers of the OSI model has specific functionality, which is described in the sections that follow. These layers are implemented in the hardware and software of network devices and in any computers that communicate over the network. The hardware and software at each OSI layer of the sender communicates with the corresponding layer of the receiver using network protocols specific to each layer. A network protocol defines the standard procedure that a network device follows for data communication. The OSI model standardizes the protocols used in each layer. The software that implements the various layers in the model is called a protocol stack.
2-3
Chapter 2 OSI Model of Data Communication
When a computer application, such as an e-mail program, sends data to another computer, the data is encapsulated within each successive layer by the operating system software. Each layer provides a specific set of functions required for transferring the data efficiently over the physical network media. Figure 2-2 shows the seven layers of the OSI model and shows how layer-specific headers are added, in a process called encapsulation, at the source, and removed at the destination (decapsulation) by the software running at each OSI layer.
Figure 2-2 Seven Layers of the OSI Model
Source
Application layer protocol DATA Application Presentation layer protocol DATA Presentation Session layer protocol SH DATA Session Transport layer protocol TH SH DATA Transport Network layer protocol NH TH SH DATA Network Data link layer protocol DH NH TH SH DATA Data link Physical layer protocol DH NH TH SH DATA Physical Physical Data link Network Session
Destination
Application
DATA
Presentation
DATA
SH DATA
Transport
TH SH DATA
NH TH SH DATA
DH NH TH SH DATA
DH NH TH SH DATA
213059
SH : Session layer header, TH : Transport layer header, NH : Network layer header, DH : Data link layer header
Layer 1Physical Layer

The physical layer transmits bits across a link connecting two network devices. This link can be a cable or a wireless link between two devices. The physical layer specifications define various aspects of the physical transmission including the following:

Conversion of data bits to electrical or optical signals Electrical or optical characteristics of the cable Type of connector, including the number and arrangement of the pins
A single network device can support various types of physical links, such as the different flavors of Ethernet, but each type requires its corresponding physical layer.
2-4
Chapter 2
Data Communication in a Computer Network OSI Model of Data Communication
Layer 2Data Link Layer

While the physical layer transmits bits, the data link layer uses the physical layer to transmit groups of bits, called a frame in the Ethernet specification, across a link. The data link layer defines the following functions:

Detection of data corruption Coordination of data transfer across a shared link when multiple devices transfer data using the link Use of data link layer addresses to identify individual network devices attached to a single link (for example, the Ethernet MAC address)
The data link layer adds the information required to perform these functions to the data being transmitted, such as the Layer 2 destination and source addresses, which are required to correctly deliver the packet. The additional information added to the data is called the data link header.
Layer 3Network Layer

The previous two layers transmit data across a single link. In contrast, the network layer uses the data link layer to transmit data between any pair of end devices (such as laptops) across a network that may include many physical links interconnected by many network devices. Therefore, the network layer must identify each physical network and the devices located on that network in a way that allows data to be sent (routed) to the appropriate destination network. After the data arrives at the destination network, the data link layer address is used to deliver the data to the destination device. The IP layer is an example of a network layer protocol, and the IP address of a device is an example of a network layer address (see the TCP/IP Network Layer section on page 3-11). Additional functions of the network layer include the following:

Finding a path to the destination Error reporting Congestion control Reassembly of a packet if the network has to fragment it for transmission
The network layer also adds its header to the data.
Layer 4Transport layer

The transport layer detects errors such as lost or duplicate packets received from the network layer. It also fragments large packets into smaller fragments based on the maximum size limit imposed by the network layer. This prevents inefficient network layer fragmentation. The transport layer can also establish separate connections between a pair of network devices, and retransmit any lost packet within a connection. The transport layer adds the transport layer header to the data, and provides a reliable communication between the source and destination. Most of the functions of the OSI transport layer are provided by the well-known Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). For more information, see the TCP/IP Transport Layer section on page 3-16.
2-5
Chapter 2 OSI Model of Data Communication
Layer 5Session Layer

The session layer provides services such as establishing, managing, and terminating connections between two applications. It also provides checkpoint, restart, and termination procedures for data communication between two computer applications. The OSI session layer, if used, also adds its own header to the data. However, in actual practice, much of the session layer functionality is actually implemented by the user application.
Layer 6Presentation Layer

Data can be represented at the source and destination applications in different ways. To give a simple example, two applications may have different formats for floating point numbers, or use different alphanumeric character codes such as ASCII and EBCDIC. The presentation layer translates data from an application-specific format to a standard format so that the application program writer does not have to bother about data representation. OSI takes its presentation layer definition from the ASN.1 standard data representation.
Layer 7Application Layer

The application layer consists of the computer applications run by users, such as Telnet, web browsing, file transfer applications, messaging applications, and e-mail applications. A laptop or any host computer connected to the network implements all the layers required to connect to other devices over the network. A host computer must at least run a user application at the application layer, and perform the functions necessary for the lower layers, including sending bits across the link to its connected network. As shown in Figure 2-2 on page 2-4, each layer on the source computer communicates with its corresponding layer on the destination device using a specific protocol for each layer. Theoretically, not every network device has to implement all the layers in the protocol stack. A switch is called a Layer 2 device, because it simply forwards a frame through a link to a device connected to the same link. Therefore, it only needs to implement physical and data link layers. A router is called a Layer 3 device because it uses Layer 3 addressing, such as an IP address, to forward traffic to the destination. Therefore, the router must implement the lower three layers: the physical, data link, and network layers. However, in practice, an administrator needs to log in to a switch or router to run a management application, such as Telnet. To support this kind of administrative functionality, a switch or a router actually does implement all the layers.
2-6
CH A P T E R

The OSI model, described in the previous chapter, is the standard architectural framework for describing a suite of network protocols divided into layers. However, the TCP/IP protocol suite, developed originally by the U.S. Department of Defense (DoD), is the actual standard for implementation and deployment of computer networks worldwide. Therefore, this document explains the small business network assuming that the TCP/IP protocol suite is used. This chapter describes the TCP/IP protocol suite and includes the following sections:

Comparing the OSI Model and the TCP/IP Protocol Suite, page 3-1 Local Area Network Technology (Layer 1 and 2), page 3-3 TCP/IP Network Layer, page 3-11 Data Transfer in IP Networks, page 3-12 TCP/IP Transport Layer, page 3-16
Comparing the OSI Model and the TCP/IP Protocol Suite

Almost all common network applications today, such as web browsers, e-mail programs, file transfer programs, and instant messenger programs use the TCP/IP protocol suite. Unlike the seven-layer OSI model, TCP/IP has a five-layer model with physical, data link, network, transport, and application layers. The relationships between the OSI and TCP/IP layers are summarized in Table 3-1.
3-1
Chapter 3 Comparing the OSI Model and the TCP/IP Protocol Suite
Table 3-1
Comparing the OSI Model and the TCP/IP Protocol Suite
OSI Layer Application layer Presentation layer
TCP/IP Layer Application layer (e-mail, Telnet, web browsers, and so forth.) Application layer (OSI presentation layer functionality, if implemented, is performed by the application layer) Application layer (OSI session layer functionality, if implemented, is mostly performed by the application layer, except that packet sequencing is performed by the TCP/IP transport layer) Transport layer Example: Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
Session layer
Transport layer
Network layer Data Link layer Physical layer
Network layer Example: Internet Protocol (IP) Data Link layer. Depends on physical layer used. Physical layer Examples: Different types of Ethernet (10BASE-T, 10BASE2, 10BASE5, 100BASE-TX, 100BASE-FX, 100BASE-T, 1000BASE-T, 1000BASE-SX), ISDN, DSL, and so forth.
The actual TCP/IP network protocol stack is included with the specific operating system, such as Windows, MacOS, Linux, UNIX, or Cisco IOS software. Figure 3-1 illustrates how data being sent on an Ethernet network from an application running on a computer to another application on a destination computer is processed by different layers of the TCP/IP protocol suite running on each computer. Although the figure shows TCP as the transport protocol, UDP is also frequently used where faster transmission at the expense of reliability is required.
Figure 3-1 TCP/IP Protocol Stack Example
Destination computer Application layer
TCP header IP header Ethernet header DATA TCP header IP header Ethernet header TCP DATA
Source computer
DATA TCP DATA
Layer 4 Transport layer Layer 3 IP layer Layer 2 Data link layer Layer 1 Physical layer
IP DATA Ethernet trailer
IP DATA Ethernet trailer

213060
Ethernet DATA
Ethernet DATA
3-2
Chapter 3
TCP/IP Protocol Suite TCP/IP Physical and Data Link Layers
When a computer application, such as an e-mail program, sends data to another computer, the data is subjected to processing by the multiple TCP/IP layers starting with the application layer. The application layer forwards the data to the transport layer, the transport layer adds its header and passes the packet to the network layer and so on, until finally the physical layer receives the data and transmits it as a sequence of bits. The physical layer of the receiving computer receives the bits, and forwards them to the data link layer. The data link layer removes the Layer 2 header and forwards the packet to the network layer. The network layer similarly removes the Layer 3 header and hands the data to the transport layer. The transport layer then hands the data to the application program after removing the transport layer header.
TCP/IP Physical and Data Link Layers

This section describes the lowest two layers of the TCP/IP protocol suite, which define the technology and components required for the functioning of a local area network (LAN). This section focuses on Ethernet technology, because this is the most commonly used LAN technology for small businesses. This section includes the following topics:

Local Area Network Technology (Layer 1 and 2), page 3-3 Ethernet Physical Layer (Layer 1), page 3-4 Ethernet Data Link Layer (Layer 2), page 3-4 CSMA/CD Technology, page 3-5 LAN Transmission Methods, page 3-5 LAN Topologies and Components, page 3-6 Virtual LANs, page 3-7 Switch Port Modes, page 3-8 Spanning Tree Protocol, page 3-9 Rapid Spanning Tree Protocol, page 3-10
Local Area Network Technology (Layer 1 and 2)

A Local area network (LAN) is a high-speed data network that covers a small geographic area, such as an office location spanning a single building, or a few adjacent buildings within the same business. A LAN operates using protocols at the lowest two layers of the OSI reference model: the physical and data link layers. A LAN typically connects end-user devices such as PCs, laptops, printers, servers, and other devices. Users can use the LAN for communication using e-mail, to share access to devices or businesses applications, or to use other applications for information exchange. To access information that exists beyond a LAN, for example from the public Internet, the data packets must be sent outside the LAN and received from outside the LAN. LANs provide a high bandwidth network over limited distance at low cost, while WAN technologies provide long distance data transfer, but at a higher cost. Most data traffic in a business is localized within the office, so it makes sense to implement a LAN connecting all devices within the office, while using the WAN to access the Internet or connect to a remote business location.
3-3
Chapter 3 TCP/IP Physical and Data Link Layers
This document focuses on Ethernet LANs because that is the type of LAN used by most small businesses. Other LAN technologies, such as Token Ring, are far less common and are rarely implemented by small businesses. Wireless LANs (WLANs) are beyond the scope of this document, but Chapter 7, Infrastructure Requirement for Wireless LAN describes the wired LAN requirements for implementing a WLAN. An Ethernet LAN is composed of devices having Ethernet network interface cards (NICs) and one or more switches, interconnected through Ethernet cables. In an Ethernet LAN, each end user device, such as a laptop or a server, is connected by an Ethernet cable to a switch in the LAN. When any end-user device sends data to another device, the switch to which it is connected directs the data to the next switch, and this is repeated until the data reaches its destination. Ethernet provides both physical layer protocols and data link layer protocols, which are described in the following sections.
Ethernet Physical Layer (Layer 1)

There are various Ethernet physical layer protocols and specifications, which differ in the bandwidth supported and the physical medium (copper wire or optical link) over which data is transferred. Some common ones include the following:

10BASE-TCategory 3 or 5 cable having four wires (two twisted pairs of copper wires). Supports maximum bandwidth of 10 megabits per second (Mbps). 100BASE-TCategory 5 cable having four wires (two twisted pairs of copper wires). Supports maximum bandwidth of 100 Mbps. Also called Fast Ethernet. 1000BASE-TCategory 5 copper cable. Maximum bandwidth is 1 gigabit per second (Gbps). 1000BASE-FXFiber cable. Maximum bandwidth is 1 Gbps. 1000BASE-SXFiber cable. Maximum bandwidth is 1 Gbps. 1000BASE-LXFiber cable optimized for large distance. Maximum bandwidth 1 Gbps.
Ethernet Data Link Layer (Layer 2)

The Ethernet data link layer performs the following functions:

Assigns a data link layer address to each device, known as the MAC address Transmits data frames from the source to the destination over the physical media Performs transmission error detection
The manufacturer of every Ethernet device permanently assigns the Ethernet MAC address, which is also called the manufacturers hardware address, to the Ethernet hardware interface within the device. For example, the Ethernet port on every laptop has a unique MAC address, and so does each Ethernet port on every router, switch, and server. MAC addresses must be unique; no two devices should have the same MAC address. A MAC address is a 48-bit long binary number, typically written as a series of six hexadecimal numbers, such as the following:
00.13.E8.DD.47.76
When an IP packet is transferred over an Ethernet network, the Layer 3 (network layer) IP header is encapsulated within the Layer 2 (data link layer) Ethernet header, and it is the Ethernet header that allows the Ethernet frame to be directed to the destination MAC address. The Ethernet header contains the source and destination MAC addresses, along with additional information used by the data link layer.
3-4
Chapter 3
CSMA/CD Technology
In an Ethernet LAN, multiple devices, such as laptops, can be connected to a single Ethernet cable. Because multiple devices cannot talk on the network simultaneously, an Ethernet LAN must use some kind of mechanism that ensures that only one device sends data over the Ethernet cable at a time. This mechanism is built in to the Ethernet LAN hardware, and is called Carrier Sense Multiple Access Collision Detect (CSMA/CD). With CSMA/CD, network devices connected to an Ethernet LAN cable (segment) contend for using the cable to send data. When a device has data to send, it first listens to see if any other device is currently using the network. If not, it starts sending its data. After finishing its transmission, it listens again to see if a collision occurred. A collision occurs when two devices send data simultaneously. When a collision occurs, each device waits a random length of time before resending its data to minimize the possibility of another collision. An Ethernet LAN segment, within which the connected devices compete for access, is called a collision domain. The busier a network becomes, the more collisions occur, so the performance of an Ethernet network degrades rapidly as the number of devices on a single network segment increases. One way to improve LAN performance is to use an Ethernet switch to segment the LAN into multiple collision domains, as shown in Figure 3-2.
Figure 3-2 Switch Interconnects Multiple Collision Domains
Collision domain 2 Collision domain 3
Collision domain 1
Switch
Collision domain 5
Collision domain 4
213061
A switch has one collision domain per port.
Using a switch in this way reduces the number of devices per network segment that must contend for the Ethernet media. By creating smaller collision domains, the performance of a LAN can be increased significantly.
LAN Transmission Methods

A packet can be sent by the LAN to one or more destinations in one of the following three possible ways:

Unicast transmissionSingle packet is sent from a source to a single destination on a network based on the specific destination MAC address. Most data transfers in a LAN are unicast. Broadcast transmissionSingle data packet from a source is copied and sent to all devices on the network. The packet destination MAC address has a special format, called the broadcast MAC address. When the packet is sent, the network sends the packet to every station on the network. Multicast transmissionSingle data packet from a source is sent to a specific subset of devices on the network. The packet destination MAC address has a special format, called the multicast MAC address. When the packet is sent, the network sends a copy of the packet to each station that is a receiver of the multicast address.
3-5
LAN Topologies and Components

An Ethernet LAN is composed of network devices, such as hubs and switches, interconnected by Ethernet cables. A network topology is a map of the network showing the way network devices are connected to each other.
Note
A router connects one LAN to another LAN or WAN. Therefore, the LAN interfaces of a router are also technically part of the LAN. Modern Ethernet LANs use the star topology shown in Figure 3-3. In a star topology, multiple Ethernet segments are connected to a central device, which in modern LANs is a switch, but which theoretically could also be a hub. All connections in a star topology are point-to-point, which means that each device is connected to the switch over a separate Ethernet cable.
Figure 3-3 Star Topology LAN
PC
IP Switch
Printer
IP phone
IP
Laptop
Fax
213062
In the past, an Ethernet LAN might use a hub as the central connecting device in a star topology. However, a hub is not as efficient as a switch, and it is therefore no longer recommended. A hub is simply a multi-port repeater, which interconnects multiple Ethernet segments. A hub simply passes on (repeats) the frames it receives through all its ports, so that all devices connected to the hub receive the frame. Only the intended destination uses the frame, while the rest of the devices simply discard the frame. Therefore a hub generates a lot of unnecessary traffic in the LAN, which reduces the effective bandwidth of the LAN.
Ethernet Switch and Its Functions

Like a hub, an Ethernet switch (see Figure 3-4) receives data packets from connected devices and forwards them to their destinations through its other connected links. However, a switch controls the flow of network traffic based on the MAC address in each packet. The function of a switch is to listen, learn, and forward. A switch includes many Ethernet ports, which allows the switch to interconnect other devices.
3-6
Chapter 3
Figure 3-4
Ethernet Switch
First a switch listens, and when it receives a frame, it learns the port and the source MAC address of the frame, which is the MAC address of the external device that sent the frame. Over a period of time, as the switch receives traffic, it builds a table that maps the MAC address of each external device to the port that is either connected to the device or that provides a path to the device through another switch. When a switch receives a frame, it looks up the destination MAC address on this table. If the destination MAC address is on the table, the switch forwards the frame through the associated port. However, the destination MAC address is not on the table if the destination device has not previously sent at least one frame through the switch. In this case, the switch sends the received frame as a broadcast through all its interfaces, which is called flooding. When the switch receives a response from the destination device through a specific port, the switch maps the source address of the new device to this port. Subsequent traffic to this device is then forwarded through this single port. Because a switch learns the addresses of all its connected devices over a period of time, it reduces the generation of unnecessary duplicate frames, and this leads to improved LAN performance compared to a hub. In addition, a switch can simultaneously forward traffic between multiple pairs of devices, which increases the overall network bandwidth. Having fewer devices on an Ethernet segment improves network performance by reducing collisions. Therefore, it is recommended to connect a switch port to a single device, or to an IP phone and laptop (or other PC) belonging to a single user. To summarize, the following are the recommendations for optimal network performance:

Use a switch in a LAN rather than a hub. Connect only one user or another switch to a switch port.
Virtual LANs
Virtual LANs (VLANs) divide a LAN into multiple logical LANs. Each VLAN creates a separate Ethernet broadcast domain that separates traffic from other VLANs. VLANs are useful when it is necessary to separate groups of users connected to the same physical LAN segment. For example, the accounting department may need to ensure that network traffic from the accounting servers is not received by users outside their department. In this case, users and servers in the accounting department can be placed in a separate VLAN.
213063
3-7
A VLAN is identified by a number, but a name may be assigned to clarify the purpose of the VLAN. A new switch, by default, assigns VLAN 1, called the native VLAN, to all its switch ports so that traffic can flow between any pair of ports when the switch is enabled. When the switch is configured, the network administrator creates additional VLANs, assigns each VLAN a number, and assigns ports on the switch to the VLAN. For example, ports connected to all the users and servers in the accounting department might be assigned to VLAN 50, given the name accounting. Sales departments users and servers can be assigned to VLAN 51, named sales, and managers can be assigned to VLAN 52, named managers. The same port can be assigned to more than one VLAN. After ports are assigned VLAN numbers, a switch allows traffic to flow only between ports of the same VLAN. In Figure 3-5, for example, the switch allows a frame received on a port in VLAN 50 to be sent to any device connected to any other port in VLAN 50.
Figure 3-5 Segmenting a LAN into Multiple Virtual LANs
Switch
VLAN for Managers Department VLAN number = 52, VLAN name = managers
VLAN for Accounts Department VLAN number = 50, VLAN name = accounts
VLAN for Sales Department VLAN number = 51 VLAN name = sales
Recall that a switch sends a broadcast frame to all its ports. However, because each VLAN is a separate logical LAN, broadcasts in a VLAN are restricted to the ports within a single VLAN, and therefore do not affect other ports on the switch. In this way, a VLAN defines a separate broadcast domain within a switched network. Well-designed VLANs segment the network into multiple smaller broadcast domains, which can further improve overall network performance, as well as enhancing security and ease of administration.
Switch Port Modes

Each port on a switch (switch port) can be configured to run in either access mode or trunk mode. In access mode, the port belongs to one and only one VLAN, while in trunk mode the port can receive and send traffic belonging to multiple VLANs to another trunk port on a connected device. Normally, a switch port in access mode is connected to an end-user device, such as a laptop, or to a network interface card on a server. The frames transmitted on an access link use the standard Ethernet frame. A trunk port, on the other hand, can send or receive traffic for multiple VLANs over the same physical link (trunk). Trunk ports usually interconnect switches, as shown in Figure 3-6.
3-8
213066
Chapter 3
The IEEE 802.1Q standard specifies the format for Ethernet frames when the frame is sent through a trunk port. Such a trunk link is often called an 802.1q trunk. The standard Ethernet frame format is enhanced to include a special field that carries the VLAN number of the frame. This enables the receiver to distinguish between traffic belonging to different VLANs. For example, the network shown in Figure 3-6 has two VLANs:

VLAN 31 (DATA VLAN)Traffic from laptops and PCs VLAN 41 (Voice VLAN)IP telephone traffic
All the laptops are connected to access ports on the switches that are placed in VLAN 31 (or DATA VLAN). Similarly, all IP telephones are attached to access ports in VLAN 41 (Voice VLAN). The inter-switch link and the link to the WAN router are 802.1q trunks. Each trunk carries traffic of both VLANs.
Figure 3-6 VLANs, Access Ports , and Trunk Ports
WAN Router
Legend Trunk Port Access Port DATA VLAN Voice VLAN
802.1Q Trunk 10/100/1000 Mbps Aggregation Switch 802.1Q Trunk 10/100/1000 Mbps Access Switch
V
802.1Q Trunk (carries both DATA & Voice VLANs) 10/100/1000 Mbps
V
Voice VLAN (VLAN 41)
Access Switch DATA VLAN (VLAN 31) Voice VLAN (VLAN 41)
213067
DATA VLAN (VLAN 31)
IP
IP
IP
Figure 3-6 shows user computers and IP Phones in separate VLANs, connected to separate ports on the switch. However, for every person having both devices, two separate cables are required from a desk to the nearest switch, which could be hundreds of feet away. To reduce the number of cables, some advanced IP phones use an internal switch. In this case, the laptop is connected to the switch in the IP phone and the IP phone forwards traffic of both DATA and Voice VLANs to the access switch through a single cable. Therefore the connection between the IP Phone and the access switch can be an 801.1q trunk. However, some vendors support the use of an access link by tagging the data and voice frames in a specific way.
Spanning Tree Protocol

The 802.1D Spanning Tree Protocol (STP) standard describes the specification for software that runs on a switch to prevent traffic loops in the LAN. A traffic loop causes a frame to go around the LAN in a loop indefinitely (see Figure 3-7). STP selects the paths to be used for forwarding traffic and puts redundant links in standby mode so that loops are eliminated, but without affecting the reachability of
3-9
devices. Redundant links are required in a network to provide high availability in case of the failure of any link. STP responds to the failure of a link by enabling the appropriate standby link. When the failed link is restored, STP again puts the redundant link in standby mode.
Figure 3-7 Loop-Free Topology with Spanning Tree Protocol
No Spanning Tree
With Spanning Tree
Laptop A
Laptop A
Laptop B Packet from laptop A to laptop B can loop between the switches due to parallel paths
Laptop B
213068
Spanning Tree blocks a port to eliminate the loop. Packet gets delivered.
STP running on a switch sends special frames to the other switches at regular intervals, called Bridge Protocol Data Units (BPDU). BPDUs allow the switch to discover the topology of the network, to identify the forwarding links and standby links, and to disable links as necessary to prevent a loop. If the LAN is changed by adding more devices or modifying Ethernet connections, STP calculates new loop-free paths automatically. Per VLAN Spanning Tree (PVST) ensures a loop-free LAN topology separately for each VLAN.
Rapid Spanning Tree Protocol

Rapid Spanning Tree Protocol (RSTP), which is described by the IEEE 802.1w standard is as an evolution of the 802.1D standard. RSTP allows STP to identify a loop-free LAN topology in a few seconds, compared to minutes for classical STP. The recalculation of the topology after the failure of a link or the addition of a new link or switch is called convergence. The rapid convergence that is provided by RSTP helps achieve a high level of LAN availability, which is required by delay-sensitive network applications. Rapid PVST is a variation of RSTP that quickly calculates a loop-free LAN topology separately for each VLAN. Rapid PVST is a Cisco enhancement to the standard that may not be available from all switch vendors. A small business network should deploy switches with some form of RSTP to reduce convergence time. Rapid PVST should be deployed, if available on a switch.
3-10
Chapter 3
TCP/IP Protocol Suite TCP/IP Network Layer
TCP/IP Network Layer

The Internet Protocol (IP) is the Layer 3 (network layer) protocol provided by the TCP/IP protocol suite. IP uses configurable, 32-bit addresses to identify network devices and for routing traffic. This section describes IP and includes the following topics:

IP Version 4 and IP Version 6, page 3-11 IP Packet, page 3-11 IP Address Classes, page 3-13 Private IP Addresses, page 3-14 Network Masks, page 3-15 IP Subnetting, page 3-15 TCP/IP Transport Layer, page 3-16
IP Version 4 and IP Version 6

In a typical computer network today, the source and destination endpoints communicating over a network are identified by an IP address. The IP address of any device that communicates within the same network must be unique, so that it has a unique destination address that ensures that it receives the traffic other devices in the network send to it. The IP address commonly used in networks today is based on version 4 of the IP specification, known as IPv4. An IPv4 address is a 32-bit (four-byte) binary number that is typically expressed as a series of four decimal digits divided by periods (called dotted decimal format), as in the following example:
209.165.200.227
The 32 bits of an IPv4 address provide up to 4.3 billion unique IP addresses. This number was deemed to be adequate when TCP/IP protocol suite was initially devised. However, with the explosive growth of IP devices, it is now estimated that IP addresses will be exhausted eventually. As a result, IP version 6 (IPv6) has been defined, which uses 128-bit addresses. However, IPv6 has not yet been deployed widely. This document therefore focuses on IPv4 because it is used in the vast majority of networks. The term IP, as used in this document, refers to IPv4.
IP Packet
Sending information over a computer network is analogous to sending a message by a letter through the postal network. Just as a letter is placed in an envelope on which the destination address and the source address are written, the data to be transmitted (payload) is placed in an IP packet that also carries the IP address of the destination and source devices. A post office examines the destination address of a letter and forwards it to another post office if it cannot be delivered locally. Similarly, a router examines the destination IP address in the IP packet and forwards the packet to another router unless the message is for a network that is connected directly to the router. Just as the post office uses the zip code, which is a part of the address, to identify where to forward the letter, the router examines the first part of the IP address, called the network ID, to identify the router The IP address, along with other information that helps in the transmission of the packet, is contained in the IP header. The IP header also provides information that allows the receiving device to make sure that the packet was not corrupted in transit (see Figure 3-8).
3-11
Chapter 3 Data Transfer in IP Networks
Figure 3-8
Structure of an IP Packet and the IP Header
IP Packet Structure IP Header Payload
IP Header Structure Contains IP precedence or IP DSCP field to identify traffic such as voice, video and so forth
Type of service
Protocol Source IP Address Destination IP Address
Identifies the type of payload (TCP, UDP and so forth) to help further processing the payload IP address of the packet source
213069
IP address of the packet destination
Figure 3-8 shows the format of an IP packet, including the structure of the IP header and the functions the most important fields. Although each header field is important to a networking device, only the highlighted fields are important for understanding IP networks:

Source address Destination address Protocol Type of service (ToS)
Data Transfer in IP Networks

An IP network uses the IP address to identify the destination and the source for the purpose of transferring data over the network. The basic unit of data transfer in an IP network is a data packet or simply a packet, which is a series of data bytes. Although other networks use different addressing schemes, they are not commonly used in small business networks, and so we focus on IP networks in this document. Three types of data transfer occur in an IP network:

UnicastA single source sends information to a single destination. BroadcastA single source sends information to every device in the network. MulticastA single source sends information to a predefined group of destinations. Destinations can be added or removed from the group.
Most communications in IP networks are unicast, although some applications support multicast communication, such as a single video stream simultaneously watched by numerous viewers. Networks use broadcast and multicast communication internally among network devices for certain signaling and control functions. Just as a switch forwards traffic in a Layer 2 network, a router forwards traffic using Layer 3 protocols. The router uses IP addresses to forward traffic in a network. For routing traffic in the network, a router implements the lower three layers of the TCP/IP protocol suite: the physical, data link, and IP layers.
3-12
Chapter 3
TCP/IP Protocol Suite Data Transfer in IP Networks
The IP layer identifies each network by a network ID, which is the first part of the IP address. The router looks only at the network part of the address to determine whether the packet can be delivered locally or whether it has to be forwarded to another router. The router identifies the next hop router by looking at its routing table. The way the routing table is structured and populated depends on the routing protocol used, as described in the Routing and Routing Protocols section on page 4-1.
IP Address Classes
The binary number system uses 2 as the base, in the same way that the decimal system uses 10. Whether using base 10, or base 2, we calculate the value of a number by summing each digit multiplied by the place value of the base number. As an example using base 10, the number 234 can be represented as:
234 = 2x102 + 3x101+ 4 x 100
Similarly, the four-digit binary number 1011 can be represented as the following;
1 x23 + 0 x 22 + 1 x 21 + 1 x 20 = 8 + 0 + 2 + 1.
This binary number, therefore, has a value of 8+0+2+1 = 11. The 32 binary digits in an IPv4 address are divided into four bytes to make it easier to read. The IP dotted-decimal format expresses each of the four bytes as a decimal number and separates each decimal number by a period. The range of values in a byte can be 00000000 to 11111111 in binary or 0 to 255 in decimal. Figure 3-9 illustrates an example of an IP address in dotted-decimal format and its binary equivalent.
Figure 3-9 IP Address in Binary and Dotted-Decimal Format
Dotted Decimal Binary Format
10. 00001010 Byte 1
7. 00000111 Byte 2
2. 00000010 Byte 3
23 Byte 4
213070
00010111
There are five classes of networks, A to E, but only class A, B, and C are commonly assigned to network devices (see Table 3-1).
Table 3-2 IP Network Address Classes
Network Class Class A
Default Number of Bits in Network Part 8
Network Address Range 1.0.0.0 to 126.0.0.0
Address Range 1.1.1.1 to 1.255.255.254 ... 126.1.1.1 to126.255.255.254 128.1.1.1 to 128.255.255.254 ... 191.1.1.1 to 191.255.255.254
Class B
16
128.1.0.0 to 191.255.0.0
3-13
Chapter 3 Data Transfer in IP Networks
Table 3-2
IP Network Address Classes (continued)
Network Class Class C
Default Number of Bits in Network Part 24
Network Address Range 192.0.0.0 to 223.255.255.0
Address Range 192.0.0.1 to 19.255.255.254 ... 233.0.0.1 to 223.255.255.254 224.0.0.0 to 239.255.255.255
Class D
N/A
N/A
Class A and B networks can have a huge number of IP addresses. Class C networks can have only 254 IP addresses for assigning to devices (0 and 255 are generally not assigned to devices). Class D addresses represent multicast destinations. Because a multicast stream is received by many devices, the multicast address is not specific to a single device. Instead, any device that wishes to receive a multicast stream addressed to a specific class D IP address submits a request to receive the stream using the Internet Group Multicast Protocol (IGMP).
Private IP Addresses
As mentioned earlier, some addresses have been set aside for use within the private networks of different organizations. These addresses cannot be used on devices connected directly to the public Internet, but the same addresses can be used by different organizations as long as they are confined to the private network and are not seen on the public Internet. Table 3-3 shows the IP address ranges that have been specified as reusable in the Internet standard, RFC 1918.
Table 3-3 Private IP Address Ranges
Private IP Address Range From 10.0.0.0 172.16.0.0 192.168.0.0 To 10.255.255.255 172.31.255.255 192.168.255.255 Subnet Mask 255.255.255.0 255.255.0.0 255.255.255.0
These reserved addresses are called private IP addresses, or RFC 1918 addresses. They are also called non-routable addresses, because they cannot be routed over the public Internet. IP addresses that are not private are called public IP addresses, or routable addresses. The internal network belonging to a business can use the entire range of private IP addresses, and this helps relieve the scarcity of IPv4 addresses. Devices within the private network can communicate using private IP addresses without any problem, because within the network each device has a unique IP address. Different organizations may also use the same range of private IP addresses, but these private addresses cannot be used for communication between two organizations over the public Internet. The TCP/IP protocol specification allows only communication over the public Internet using public IP addresses.
3-14
Chapter 3
TCP/IP Protocol Suite Data Transfer in IP Networks
The solution to this problem is provided by a widely used address translation scheme that allows communication over the Internet between two organizations that use private IP addresses (see the Network Address Translation section on page 5-13.)
Network Masks
A network mask specifies the portion of an IP address the identifies the network and the portion that identifies the host. Class A, B, and C networks have default masks, also known as natural masks, as follows:

Class A: 255.0.0.0 Class B: 255.255.0.0 Class C: 255.255.255.0
To see how the mask helps identify the network and node parts of the address, convert the address and mask to binary numbers, as in the following example:
8.20.15.1 = 00001000.00010100.00001111.00000001 255.0.0.0 = 11111111.00000000.00000000.00000000
Any bits that have corresponding mask bits set to 1 represent the network ID. Any address bits that have corresponding mask bits set to 0 represent the node ID. In this example, the network ID is 8.0.0.0 and the host ID is 20.15.1, because the network mask indicates that only the first eight bits should be used to identify the network and the rest identify the host.
IP Subnetting
Subnetting divides a class A, B, or C network into multiple subnetworks or subnets. If an organization has one class C network for the entire organization, it is difficult to implement the network without subnetting. Each router interface requires its own network (or subnet) because each segment in a network must have a unique network ID. Each device on the same segment appears at the network layer as a host attached to the same network. Having a single network allows only a single network segment, which is too restrictive. Subnetting divides a Class A, B, or C network into smaller networks. Subnetting provides a number of subnets, each of which can be assigned to one network segment. To subnet a network, extend the natural mask for the class using some of the bits from the host ID portion of the address to create a subnetwork ID. Figure 3-10 shows a Class C network of 162.18.5.0, with a natural mask of 255.255.255.0, that is subnetted by extending the subnet mask by three bits.
3-15
Chapter 3 TCP/IP Transport Layer
Figure 3-10
Subnetting Applied to a Class C Address
Class C network address:

162.18.5.0 10100010 00010010 00000101 000 00000
Natural subnet mask:

255.255.255.0 11111111 11111111 11111111 000 00000
Extended by three bits:

255.255.255.224 11111111 11111111 11111111 111 00000
Subnet bits
By extending the mask to 255.255.255.224, three bits are taken from the original host portion of the address and used to create subnets. With these three bits, it is possible to create eight subnets (000 to 111). With the remaining five host ID bits, each subnet can have up to 32 host addresses. However, only 30 of these addresses can actually be assigned to devices because host IDs with all zeroes or all ones are not allowed. It is very important to remember this. Keeping this in mind, the following subnets can be created using the subnet mask 255.255.255.224:
Table 3-4 Subnets and host addresses with subnet mask 255.255.255.224
Network Address 162.18.5.0 162.18.5.32 162.18.5.64 162.18.5.96 162.18.5.128 162.18.5.160 162.18.5.192 162.18.5.224
Host Address Range 162.18.5.1 to 30 162.18.5.33 to 62 162.18.5.65 to 94 162.18.5.97 to 126 162.18.5.129 to 158 162.18.5.161 to 190 162.18.5.193 to 222 162.18.5.225 to 254
Subnetting occurs frequently in public networks. A small business typically uses private IP addresses on its private LAN. Subnetting is not required in a private network because each network segment can be assigned a different private Class C network address. However, subnetting might be useful if the business is assigned a public Class C address and it has more than one network segment that is accessed from the public Internet. The alternative, in this case, is to use private network addresses with Network Address Translation (NAT) for the network segments accessed from the public Internet. This is described in the Network Address Translation section on page 5-13. Public network addresses assigned by an ISP are typically already subnetted based on the number of host addresses required.
TCP/IP Transport Layer

The Transport Control Protocol (TCP) and the User Datagram Protocol (UDP) are the transport layer (Layer 4) protocols defined for use with the TCP/IP protocol suite. The basic difference between the two protocols is that TCP is a connection-oriented protocol, while UDP is connectionless.
3-16
Chapter 3
TCP/IP Protocol Suite TCP/IP Transport Layer
An application running on one computer can establish one or more TCP connections with one or more applications running on another computer. For example, laptop A can establish one TCP connection for file transfer with computer B, and another TCP connection for viewing a web page that is also hosted on computer B. Each TCP connection is considered separate, so failure of one TCP connection has no impact on the other, unless they are both used by the same application and are dependent on each other. When data is sent over a TCP connection, the destination sends acknowledgement of the packets to the source. This helps the TCP protocol detect packet loss and resend lost packets, which is why TCP can ensure reliable data transfer for applications that do not have their own error recovery mechanisms. TCP can also adjust the sending rate depending on network congestion. TCP is used by applications such as Internet browsers, e-mail, and file transfer that can tolerate retransmission of data packets and that depend on the TCP error recovery mechanism. TCP is not used by applications sensitive to packet delay, or out-of-sequence packets. UDP is a connectionless transport protocol, and does not require the overhead of setting up or tearing down a connection, so it provides more efficient data transfer compared to TCP. However, UDP has no acknowledgement mechanism, cannot resend lost packets, and has no method for controlling the rate of transmission. UDP is a best effort transport protocol and does not ensure reliable data transfer. It is commonly used by applications that provide their own error recovery mechanisms, or that cannot tolerate retransmission of packets, such as IP telephony or streaming video. An application running on a computer may use TCP or UDP to send data to another application running either on the same computer or to an application running on another computer. To identify each such application, the computer assigns a TCP or UDP port number to each application. The TCP/IP protocol suite predefines a set of standard ports for commonly used applications, such as TCP port 25 for e-mail and TCP port 80 for web services. The TCP/IP protocol suite does not define protocols for the OSI session, presentation, and application layers. In the TCP/IP model, applications running on a computer perform the function of these three layers. The TCP and UDP port numbers provided by the transport layer allow the IP packet to be directed to the correct application running at a specific destination IP address, and the application then completes the processing that is defined at the upper layers of the OSI model.
3-17
Chapter 3 TCP/IP Transport Layer
3-18
CH A P T E R
Protocols and Features Used in a TCP/IP Network

There are several other protocols that are commonly used in the TCP/IP network. This chapter describes the most important ones and includes the following sections:

Routing and Routing Protocols, page 4-1 Dynamic Host Control Protocol, page 4-4 Domain Name System, page 4-5 Dynamic DNS, page 4-6 Address Resolution Protocol, page 4-3
Routing and Routing Protocols

Routing is the process of forwarding data packets over the optimal path through the network. In an IP network, routing is based on the IP address in each data packet. An IP network is connected by routers, as shown in Figure 4-1. A router is a device that maintains a routing table identifying the best paths through a network, often by communicating with other routers using a specific routing protocol, and forwards traffic based on the entries in its routing table.
Figure 4-1 Network with Routers
172.168.5.1
Cost 10
0 0.1 1. 1.2
192.168.3.1 60.10.1.1 Cost 20
60.10.1.2
Co
10.11.31.1
Co
0 t1
R2
68
.10
.1 50
10
01
.1.
.1.
R5
2
Co st 20
192.168.3.10 Laptop B
10.11.31.10 Laptop A
R1
st
1.3
10
2.3
.20 1.3 2.3

Co st 30
.2 64 .1. 2
0.1
.3
R4
10
.25
64
.20
R3
4-1
213072
Chapter 4 Routing and Routing Protocols
Figure 4-1 illustrates a network with five routers that are connected to Ethernet or other types of network segments. Because an IP address belongs to Layer 3, a router is said to perform Layer 3 forwarding. By contrast, a switch forwards traffic based on the MAC address and so performs Layer 2 forwarding. There is also something called Layer 3 switching, which is described in the Layer 3 Switching section on page 5-5. Routers can have multiple interfaces of different types for connecting to LANs or to WANs. Each interface is connected to a different network and has a unique network ID. The router forwards packets between networks through its interfaces. Each path in a network has an associated cost for routing. This cost can be assigned in one of the following ways:

Calculated automatically based on the bandwidth of each network link Calculated automatically based on thenumber of network links (hops) to reach the destination, Configured explicitly
A router forwards packets to the destination using what appears to the router as the lowest cost path, which is determined by the routing protocol used.
Static Routing
A router can be manually configured to forward traffic destined to a specific network or subnetwork by forwarding it to the IP address of a specific router (known as next hop IP address), or through a local interface. A manually configured fixed route rule is called a static route, which is permanent unless it is manually changed. The default route is a special static route that specifies the next hop IP address to which traffic should be forwarded when the route to the destination network is unknown.
Dynamic Routing
Routers using a dynamic routing protocol automatically exchange messages and learn the best way to forward packets from a source to a destination based on the path cost. Some widely used dynamic routing protocols include the following:

Routing Information Protocol (RIP) Interior Gateway Routing Protocol (IGRP) Extended Interior Gateway Routing Protocol (EIGRP) Open Shortest Path First (OSPF) Intermediate System to Intermediate System (IS-IS) Border Gateway Protocol (BGP)
Dynamic routing can be selectively enabled on a router to work on specific IP subnetworks and not for the others. With dynamic routing protocols running on every router, if a router or a link joining two routers fails, the routers exchange information about the failure and identify an alternate network path from a source to a destination, if available.
4-2
Chapter 4
Protocols and Features Used in a TCP/IP Network Address Resolution Protocol
Depending on the network size and complexity, the number of routers, and the routing protocols used, network convergence may take a fraction of a second to a few seconds. Fast convergence helps to make the network more resilient in the event of component failure. If a business has two or more routers in the same location, dynamic routing is strongly recommended. Protocols, such as EIGRP and OSPF, are more efficient than RIP v2 when the network has many routers. To configure dynamic routing on a router, at a minimum you need to specify the following:

The dynamic routing protocol name (RIP v2, EIGRP, OSPF, or whatever protocol is used) List of network subnets that the routing protocol should advertise to other routers
If a network has a single router, as occurs in many small business networks, dynamic routing provides no benefit, and static routing is sufficient. Table 4-1 shows the contents of a sample routing table.
Table 4-1 Sample Routing Table
Route Type Directly connected to router interface Directly connected to router interface Directly connected to router interface Directly connected to router interface Static route
IP Subnet/Subnet Mask 10.11.4.0/24 10.11.31.0/24 192.168.1.0/24 209.165.201.227/27 0.0.0.0/0
Next Hop IP address or Directly Connected Interface Gigabit Ethernet 0/1.1 Gigabit Ethernet 0/1.2 Gigabit Ethernet 1/0 Fast Ethernet 0/3/0 209.165.201.226
In the example shown in Table 4-1, the IP subnet 10.11.4.0/24 is connected to the router interface Gigabit Interface 0/1.1. The router forwards all traffic to this subnet through the same sub-interface. The default route is 0.0.0.0/0. In this case, the default route points to 209.165.201.226, so all traffic with an unknown destination IP address is forwarded to this address. Traffic to this subnet is sent through the interface Fast Ethernet 0/3/0, as shown in the fourth line of the table.
Address Resolution Protocol

Address Resolution Protocol (ARP) is the glue that binds IP addresses (Layer 3) to the Ethernet MAC addresses (Layer 2). To deliver a packet to an Ethernet network device, the IP address of the destination device must be present in the IP header, and its MAC address must be present in the Ethernet header. The IP address is typically known, or it can be obtained using the device name using Domain Name Service (DNS). However, the MAC address is not typically known by the sender. ARP provides the method for discovering the MAC address of the destination device. Before transmitting a frame to a destination device, an ARP request packet is broadcast to all the hosts in the Ethernet collision domain, asking for the MAC address of the device associated with a given IP address. The owner of the IP address sends a response packet with its MAC address. After the sender knows the MAC address of the destination, it can send Ethernet frames to it.
4-3
Chapter 4 Dynamic Host Control Protocol
The mapping between IP addresses and MAC addresses is stored in an ARP table by each router having a network interface in the collision domain. To keep the table current, newer associations between an IP address and a MAC address overwrite older ones, and the associations expire after a few hours, by default. ARP is used by all network devices using Ethernet interfaces, including routers, switches, PCs, laptops, and servers. Sometimes a network device may want to announce its MAC address to the Layer 2 network to which it is connected by broadcasting an ARP request packet that contains its IP address and MAC address. This is called gratuitous ARP and it helps other devices in the network to learn its MAC address. It is often used when a device boots up, or when its Ethernet card (and its MAC address) is changed. Sometimes, a device uses a gratuitous ARP to find out whether any other device in the network has been configured with the same IP address. If so, the gratuitous ARP sender receives an ARP response from the device with the duplicate address. Proxy ARP is another usage of ARP in which one host, usually a router, answers ARP requests intended for another machine. In this case, the router acts as a proxy for the destination, and accepts the responsibility for forwarding packets to it. Although Proxy ARP can help a host reach remote subnets, the same can be achieved by routing or default gateway configuration, which is typically the preferred way.
Dynamic Host Control Protocol

The IP address of a computer on a specific LAN segment must be within the range of IP addresses assigned to the corresponding IP subnet. For example, if an IP subnet is assigned the IP address range from 10.11.31.1 to 10.11.31.230, then any computer or other network device on that subnet should have an IP address within that range. If you move a laptop from an office to your home network, the IP subnet changes and your laptop is not able to access the network until its IP address is updated. Although you can manually change the IP address, a laptop typically uses the Dynamic Host Control Protocol (DHCP) to automatically obtain an IP address from whatever network device is acting as the DHCP server. This allows the laptop to be moved around in the network without requiring manual reconfiguration. For this to work, each subnet needs to have access to a DHCP server. The computers and other devices that receive IP addresses from a DHCP server are called DHCP clients. The DHCP server is configured with one or more ranges of IP addresses, called IP address pools. The DHCP server can then dynamically assign an available address to each DHCP client. For example, a DHCP server can be configured with two IP address pools such as 10.11.31.10 to 10.11.31.254, and 10.11.41.5 to 10.11.41.250. When a laptop or other end-user device starts and needs to get an IP address through DHCP, it broadcasts a DHCP request to the network. The broadcast is received by every device attached to the LAN (collision domain). The DHCP server receives the request and selects an unused IP address from an IP address pool corresponding to the IP address of the interface where the request was received. In this example, if the DHCP server receives a DHCP request from a laptop through an interface with the IP address 10.11.31.1, the server selects an unused IP address from the range 10.11.31.10 to 10.11.31.254. It then sends a DHCP reply containing the IP address (called a lease) to the laptop. The IP address lease is for a fixed time (normally several hours), after which it expires. Before the lease expires, the laptop must make a new DHCP request to renew its lease. DHCP also helps minimize laptop configuration by providing additional information, called DHCP options, that would otherwise be manually configured. These options often include the following:
4-4
Chapter 4
Protocols and Features Used in a TCP/IP Network Domain Name System
Default gateway IP address One or more DNS server IP addresses TFTP server IP address
Domain Name System

It is easier to identify devices by names rather than by IP addresses. It is much easier to access a web page by typing http://www.yahoo.com than by typing something like http://40.256.39.239. Also, the IP address associated with a company might change or a new server might become available that provides faster service.The Domain Name System (DNS) provides a method for associating names with IP addresses. DNS logically divides the world into high-level domains, such as the following:

.comCommercial organizations .orgNonprofit organizations .netNetworking entities .eduEducational organizations
Any public or private network that communicates over the public Internet should be part of one of these domains. Figure 4-2 shows a few commercial organizations under the .com domain.
Figure 4-2 Sub-domains of the .com Domain
.com domain
example.com
google.com
example2.com
When a small business wants to create a domain name, it selects a unique domain name and registers it with the Internet Network Information Center (InterNIC) through a domain name registrar. Domain name registrars are commercial organizations, including many ISPs, that register domain names for a fee. After registering the domain name, the business assigns Fully Qualified Domain Names (FQDN) to each of the devices that will be accessed through its name, rather than through its IP address. Typically, these devices include web servers, e-mail servers, and computers running business-specific applications, and in some cases, network devices.
Table 4-2 Examples of Fully Qualified Domain Names
Network Device or Computer Web server E-mail server
Fully Qualified Domain Name (FQDN) of Network Device or Computer www.example.com smtp.example.com
IP Address 206.165.200.227 206.165.200.230
213071
4-5
Chapter 4 Dynamic DNS
The domain information, the FQDNs, and the associated IP addresses are maintained by computers called name servers or DNS servers. After the information for the small business is entered into the DNS server, users can access these devices by name (www.example.com) rather than having to remember an IP address. Typically, the ISP that provides the Internet connection to a small business also provides the required DNS servers and provides the IP address for these servers. All user laptops, PCs, and servers must be configured to use these DNS server addresses. It is also possible for a small business to install and maintain its own DNS server.
Note
Instead of configuring every device manually with the DNS server addresses, the DHCP server can be configured to provide the addresses as a DHCP option in the DHCP reply sent to the laptop, PC, or other network device when it obtains its IP address. When a user directs a web browser to www.example.com, a DNS query containing the FQDN is sent to the IP address of the DNS server that is configured on the users computer. The DNS server responds with the IP address (for example, 206.165.200.227) associated with the FQDN.After receiving the DNS response, the browser application sends the HTTP query to the web server using the IP address 206.165.200.227. If the DNS server does not find an IP address for the FQDN, it forwards the DNS query to other DNS servers on a list that it maintains. A DNS server also stores the IP address of the e-mail server for the domain. When an e-mail is sent to user@example.com, the e-mail server queries the DNS server to identify the IP address of the e-mail server for the domain example.com. When it gets the response, it forwards the e-mail to the IP address given in the response. Typically, small businesses use the DNS servers provided by their ISP. However, a small business may install and maintain a local DNS server if it uses different IP addresses for servers that are accessed from the public Internet than for internal servers that are accessed by employees. In this case, employees use the local DNS server to map host names to server private addresses, while external users use a DNS server on the public Internet to map host names to the public addresses.
Dynamic DNS
With the traditional DNS protocol, the IP address associated with an FQDN is manually configured on the DNS server, and any changes must also be entered manually. A DNS server is not able to resolve an FQDN if the device IP address changes frequently, which occurs when the device gets its IP address using DHCP. The IP address of the device may change when its IP address lease expires and a new IP address is leased, but the DNS server is unaware of the new IP address unless it has been manually reconfigured. The dynamic DNS (DDNS) service provided by some ISPs alleviates this problem by causing the device to automatically notify the ISP whenever its IP address changes. The dynamic DNS server gets updated with the new IP address, and so DNS continues to work. Dynamic DNS is suitable for residential broadband type deployment, and small businesses. For example, DDNS is required when users need to access a video surveillance camera from the public Internet (http://mycamera.example.com) and the device gets its IP address using DHCP. In this case, as soon as the router provides a new IP address to the camera, it also updates the DDNS server with the new IP address. This helps ensure that the FQDN-to-IP address mapping remains accurate.
4-6
CH A P T E R
Network Architecture for a Small Business

This chapter describes a small business network architecture in terms of the network components such as switches and routers, their connections, and their roles. In addition, it provides details about the functionality that is most important for a small business network. This chapter includes the following sections:

Small Business Network Topology, page 5-1 Ethernet Switches, page 5-4 WAN Routers, page 5-9 Network Management, page 5-17
Small Business Network Topology

Network topology describes the interconnection of the various components of the network. A typical small business network generally includes at least one router and one or more switches. Additional components such as wireless access points, wireless LAN (WLAN) controllers, and certain infrastructure servers (such as a Radius server, DHCP server, or Unified Communication Manager) may also be included in the topology description. A small business network supporting a handful of employees can be as simple as a single router with enough ports to connect all the end-user devices. In larger deployments, the network may include multiple Ethernet switches and other components. Figure 5-1 illustrates the small business network topology shown earlier in Figure 1-3 on page 1-6, with additional details, such as the VLANs typically used in a small business network. This topology is typical for a small business network that supports data and voice services, as well as servers, such as e-mail servers, that are accessed from the public Internet. The network shows three VLANs specific to DATA for PCs, laptops, and servers; Voice for IP phones; and DMZ VLAN for traffic to and from the DMZ servers. The Voice or DMZ VLANs are absent when these services are not deployed.
5-1
Chapter 5 Small Business Network Topology
Figure 5-1
Small Business Network Topology

Fast Ethernet To WAN/ Internet 0/1 Fast Ethernet 0/1
Single LAN interface Single LAN interface
WAN 50.101.1.1 Router 50.101.1.1 WAN Router R er Router

802.1Q Trunk interface 802.1Q Trunk carries all three VLANs interface carries all three VLANs
802.1Q Trunk interface carries 802.1Q Trunk DATA & interface carries Voice VLANs DATA & Voice VLANs
Servers accessible from Internet Servers accessible from Internet f
Aggregation Aggregation A Switch Aggregat t Switch Access Access 10/100/1000 Mbps Access Switch e Access AcceSwitch ess ess Access Ethernet Links Swit 10/100/1000 10/100/1000 Mbps 10 t tch Switch Swit tch t Switch
Ethernet Links ne ne Ethernet
DMZ VLAN DMZ VLAN Z VLAN LAN L
Data Voice Data VLAN VLAN VLAN V i D t Voice Data Data VLAN VLAN VLAN IP
Data Data VLAN at at Data VLAN d and Voice VLAN
IP
Voice and Data Data A Data VLAN VLAN VLA VLANs d and Voice VLAN Shared devices and Sha servers not accessible ared a servers rv s Shared devices and servers from Internet not accessible from Internet Inte Inter
213073
In Figure 5-1, the LAN interface, Gigabit Interface 0/1, is logically divided into three sub-interfaces. Each subinterface has its own IP address and is placed in a separate VLAN. The access ports are the ports on the access switch connected to end-user devices. Often, an IP phone may have an integrated switch. In such cases, the PC or laptop can be connected to the IP phone rather than to the access switch, which eliminates additional cabling. In this case, the link between the access switch and the IP phone carries both the DATA and the Voice VLANs.
Local Area Network

The LAN consists of one or more switches and is shown bounded by the gray cloud in the figure. A small business may have a single switch if it has enough ports to connect to all the required devices. Sometimes, in very small networks, the switch is integrated with the WAN router to provide a single box solution for better cost and simpler manageability. If more than one switch is required, traffic from them is aggregated by an additional switch called the aggregation switch (sometimes it is called the distribution switch). The switches that are directly connected to devices, such as laptops, PCs, or IP phones are called access switches. These switches are often placed in wiring closets, and thus are also known as wiring closet switches. Connecting switches in this way creates a two-layer LAN:

The access layer includes the access switches The aggregation layer, also known as the distribution layer, includes the aggregation (distribution) switch.
This two-layer architecture improves LAN scalability and supports deploying the optimal switches as access and aggregation switches. In larger networks, a third layer (the core layer) may be required for additional traffic aggregation using a high capacity switch. This three-layer architecture is not usually required in small business networks.
5-2
Chapter 5
Network Architecture for a Small Business Small Business Network Topology
In the two-layer LAN described here, the LAN is connected to all the end-user devices, the servers, and the shared devices. The LAN switch uses high-speed interfaces (100/1000 Mbps) to provide users with high-speed access to shared devices, such as printers, business servers, network storage devices, and servers accessed from the public Internet. The network shown in Figure 5-1 segregates different types of traffic into separate VLANs. This improves LAN scalability and improves network security. Different network security policies can be applied to each VLAN. For example, a laptop can browse the Internet, but an IP phone may not need Internet access. Figure 5-1 shows the following VLANs, which can be used in a small business network to separate traffic of different types:

DATA VLANAll laptops and PCs are placed in this VLAN. In addition, shared devices, such as printers, NAS devices, and business servers, can also be included. Voice VLANConnects all IP telephony devices. This VLAN can be omitted if IP telephony is not deployed. DMZ VLANConnects all servers that can be accessed from the public Internet. These servers need specific security policies, and therefore the traffic to and from these servers should be kept in a separate VLAN. See the Firewall Policy Enforcement section on page B-2 for more details. The DMZ VLAN can be omitted if these servers are not deployed.
The LAN is also connected to the WAN router, as shown in Figure 5-1.
Wide Area Network

The wide area network (WAN) components of a small business network include the following:

A router, for Layer 3 forwarding of traffic among all the VLANs, to the public Internet, and possibly to other sites over a VPN connection, if the small business has other business locations. The WAN connection, which can be a broadband connection to the public Internet, or a leased line connection to another site or to the public Internet. The connection to another site or to the Internet connection is terminated on the WAN router. A PSTN connection, for telephone calls to telephones that are outside the IP telephony network. The PSTN connection is typically terminated on the WAN router so that it can help connect IP phones with the PSTN. Ethernet Serial Frame Relay ISDN Channelized T1/E1 Broadband connection, such as DSL
A WAN router can have multiple interfaces of different types, including the following:

These interfaces are used for connecting to a LAN or to a WAN. Each router interface requires the configuration of a different IP subnet, and the router is responsible for forwarding IP packets from one subnet to another over these interfaces. A typical router has one or more LAN interfaces that can be Fast Ethernet (100 Mbps) or Gigabit Ethernet (1 Gbps). Each of these interfaces must be assigned an IP address before they can be used for forwarding IP traffic.
5-3
Chapter 5 Ethernet Switches
A single Ethernet interface on a router can be configured to function as several subinterfaces, each of which is associated with a VLAN and an IP address. Table 5-1 shows the interface Gigabit Interface 0/1 divided into three subinterfaces.
Table 5-1 VLAN Termination on WAN Router
Sub-Interface Gigabit Ethernet 0/1.1 Gigabit Ethernet 0/1.2 Gigabit Ethernet 0/1.3
Associated VLAN VLAN 31 (DATA) VLAN 41 (Voice) VLAN 51 (DMZ)
IP Address of the Sub-interface 10.11.31.1 /24 10.11.41.1 /24 10.11.51.1 /24
The link connecting the Gigabit Ethernet 0/1 interface with the aggregation switch carries the traffic of three VLANs, so both endpoints on this link should be configured for 802.1q trunking.
Ethernet Switches
After describing the overall structure of a small business network, this section now focuses on the Ethernet switch, which is one most important individual network components. This section describes how an Ethernet switch works, and the switch characteristics relevant to a small business network. It includes the following topics:

Ethernet Interface Types and Operating Modes, page 5-4 IP Multicast and IGMP Snooping, page 5-5 Managed and Unmanaged Switches, page 5-5
Ethernet Interface Types and Operating Modes

As described earlier, an Ethernet switch performs Layer 2 forwarding of Ethernet frames. Modern switches perform this forwarding in hardware, which allows high-speed data forwarding. A typical Ethernet switch provides ports at two speeds: 100 Mbps (Fast Ethernet) or 1000 Mbps (Gigabit Ethernet). Switches with ports that can be internally configured to different speeds are preferable. In a half-duplex Ethernet segment, which is the traditional Ethernet mode using CSMA/CD, a device transmitting data cannot receive at the same time. A full-duplex Ethernet connection allows a device to transmit and receive data at the same time. Therefore, the overall network can transmit more traffic than a half-duplex network can. For example, in a 100 Mbps Ethernet interface configured for full duplex operation, total traffic rate through the cable can potentially reach 100 Mbps in each direction, for a total of 200 Mbps through the cable. In contrast, a 100 Mbps half-duplex network cannot exceed the 100 Mbps traffic rate. Full-duplex mode, which is specified by IEEE 802.3x standard, does not use CSMA/CD. It uses a point-to-point bidirectional link that avoids collision, which allows a device to transmit and receive data simultaneously. Full-duplex mode is recommended because of the following advantages:

Higher throughput due to simultaneous bidirectional traffic flow. Better link efficiency because of lack of collisions. Cable lengths can be longer than with half-duplex.
5-4
Chapter 5
Network Architecture for a Small Business Ethernet Switches
Half-duplex cables are limited to a maximum cable length because a collision indication sent by the farthest connected station must be received before a network device finishes sending a complete packet. Autonegotiation automatically ensures that the pair of ports connecting two devices with an Ethernet cable have the same speed and duplex setting. When autonegotiation is turned on for both ports, the ports talk to each other and adjust their speeds and duplex settings accordingly. This feature is recommended for all switches in a small business network.
IP Multicast and IGMP Snooping

IP Multicast is ideal for certain applications, such as a video telecasting a live event. With an IP multicast, rather than sending a separate copy of a packet to each destination, the packet source sends a single copy using a class D multicast IP address to a predefined multicast group. The network copies the information as necessary so that it is received by destinations belonging to the multicast group. Destinations join the multicast group by sending requests using the Internet Gateway Multicast Protocol (IGMP). Multicast transmissions reduce the use of network bandwidth by avoiding transmitting unnecessary copies of the information. Multicast information is transmitted as an IP packet with a destination IP address within a specific range, known as the multicast IP address range. Unfortunately, when an Ethernet switch receives a multicast IP packet, it broadcasts the packet through all its other ports. This may be unnecessary when only a few users actually belong to the multicast group. If IGMP snooping is enabled on the switch, the switch keeps track of user requests to join a multicast group, and forwards the multicast traffic only to the interested users. This avoids generating and sending unnecessary multicast traffic. It is recommended that if any IP multicast application is deployed, IGMP snooping should be available and enabled on all switches.
Managed and Unmanaged Switches

An unmanaged switch cannot be accessed for changing its configuration. It has a fixed configuration with all ports in the same VLAN, and this cannot be changed. This type of switch can be used only in the simplest network. A managed switch allows changes in configuration depending on the network deployment. A managed switch is preferable even for simple networks, because it can be reconfigured to accommodate network growth.
Layer 3 Switching
Most switches forward traffic based on MAC address, while routers forward traffic based on the IP address of a packet. However, a Layer 3 switch has additional hardware capability, allowing it to forward traffic based on the IP address as well. A Layer 3 switch acts like a router when forwarding traffic using the IP address. Due to hardware-based packet routing in a Layer 3 switch, high capacity layer-3 forwarding can be achieved. However, a Layer 3 switch with all the required capability of a general purpose router may be more expensive than a similar router because it is harder to implement these features in specialized hardware than through software.
5-5
Due to the possibility of high-traffic volume in a LAN, a Layer 3 switch offers a cost-effective solution for limited Layer 3 switching in the LAN. To improve LAN performance, it is sometimes necessary to split the users into multiple VLANs. This results in inter-VLAN routing, or layer-3 forwarding of traffic from one VLAN to another. It is perfectly feasible to use a router for inter-VLAN routing, but with the limited routing capability required in a LAN, a Layer 3 switch may cost less to achieve the same level of performance. In general, Layer 3 switches are cost-effective within a LAN where high traffic volume is expected, but where advanced router capability, such as setting up VPNs, firewalling, or dynamic routing are not required.
Power over Ethernet

A switch can provide electrical power for IP phones and other low-voltage devices through Power over Ethernet (PoE) ports. This popular feature simplifies installation of IP phones, wireless access points, and video surveillance devices, and reduces cable clutter. If a small business eventually plans to migrate to IP telephones, it is advisable to buy switches with PoE capabilities for investment protection.
Quality of Service in a Switch

Quality of service (QoS) enables a switch to classify traffic into different traffic classes, such as voice and data traffic, and to apply different policies to traffic classes, including the following:

Limiting maximum traffic rate received or transmitted through an interface Providing a minimum bandwidth to a traffic class during congestion Providing forwarding priority to one traffic class over all others, so that any packet of that class is forwarded before traffic of other classes. This is typically required for IP telephony voice traffic.
Details about QoS technology are provided in Appendix A, Quality of Service..
5-6
Chapter 5
Network Architecture for a Small Business Ethernet Switches
LAN High Availability

In general, the availability of a network device can be improved through redundant components (fans, power supplies, processors, and so forth). In addition, the features described in the following topics can improve the availability of the LAN:

Switch Stack, page 5-7 Link Aggregation (EtherChannel), page 5-7
Switch Stack
Two or more switches can be stacked together to form a logical switch. This improves availability of the combined switches because traffic can reach the destination network device through the multiple switches in the stack.
Link Aggregation (EtherChannel)

Link aggregation (Cisco EtherChannel) lets two or more Ethernet links between two switches or between a switch and an end-user device to be bundled together. The bundled links act like a single physical Ethernet link. The major advantages of link aggregation include the following:
Higher link bandwidthThe bandwidth of the aggregated link is the sum of the bandwidth of each constituent link. For example, aggregating three Fast Ethernet links provides a 300 Mbps link. Without link aggregation, parallel Ethernet connections of the same three links would theoretically provide 100 Mbps bandwidth, but two of the three parallel links could be blocked by Spanning Tree Protocol (STP) to avoid a loop. RedundancyLink aggregation improves the reliability of the aggregated link. If a single physical link fails, traffic can still be sent through the surviving links in the bundle. Supported only by full-duplex links. This is not a serious issue, because full-duplex operation is recommended anyway. All links being aggregated must have the same bandwidth. For example, you cannot bundle a 100 Mbps link with a 1 Gbps link).
There are some restrictions when using link aggregation:

Link aggregation is recommended if a higher bandwidth link or a more reliable link in a critical part of the network is required.
Switch Security
This section describes several recommended Ethernet switch security features, which are described in the following topics:

Port Security, page 5-8 BPDU Guard, page 5-8 Storm Control, page 5-8 Port-Based Network Access Control (802.1x), page 5-9
5-7
Switches provide additional security features, which are not described here, including the following:

Dynamic ARP Inspection IP Source Guard Dynamic ARP inspection
For details, see the following websites: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuratio n/guide/swdhcp82.html http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuratio n/guide/swdynarp.html
Port Security
A switch learns the MAC addresses of connected devices when it receives packets from them and maintains information about each connected device in its MAC address table. This is a potential security risk, because a hacker can simply send lots of packets with different MAC addresses to a switch and this can overflow the MAC address table in the switch. The port security feature improves security by limiting access on a specific port to a configurable number of hosts. For example, if a laptop and IP phone are both connected to a port on the access switch, port security may be configured to learn no more than two MAC addresses through the port, one MAC address for the laptop, and the other for the IP phone. If a hacker tries to send packets with additional MAC addresses, the port can be configured to be automatically disabled. It is recommended to deploy port security on access ports connected to end-user devices on any switch that supports the feature. Port security should not be enabled on switch ports connected to other switches or routers.
BPDU Guard
BPDU Guard can be used to prevent network connection mistakes or attacks that modify the spanning tree to cause spanning tree loops and degrade LAN performance. Switches exchange BPDUs as part of the process of building and maintaining the spanning tree. A switch expects to receive BPDUs on ports that are connected to other switches. Other ports of the switch should not receive any BPDUs. An attacker can send BPDUs from a laptop or other device to modify the spanning tree. An unauthorized switch connected by a user to get some additional ports may also send BPDUs. Such BPDUs can be prevented by configuring the BPDU Guard feature on any switch ports that are not supposed to be connected to other switches. If a BPDU guard-enabled port receives a BPDU, the port is automatically disabled. The administrator can re-enable the port after investigating the anomaly. It is recommended to enable BPDU Guard, if available on a switch, on all access ports not connected to another switch.
Storm Control
Storm Control allows a switch to set an upper limit on the percentage of port bandwidth that broadcast, multicast, and unicast traffic can use. This feature can be used to prevent broadcast or multicast storms in a LAN, which can degrade LAN performance. Storm Control can be selectively enabled on one or more ports on a switch.
5-8
Chapter 5
Network Architecture for a Small Business WAN Routers
Although not essential, Storm Control can help suppress broadcast and multicast storms caused by a denial-of-service (DoS) attack, or by a network device malfunction.
Port-Based Network Access Control (802.1x)

Port-Based Network Access Control, specified by the 802.1x standard, allows only authorized users to send traffic to a LAN and restricts the traffic to a VLAN associated with the user. Before a user can access the LAN, an administrator must enter the user details in an Authentication, Authorization, and Accounting server (AAA server), such as a RADIUS server. The AAA server maintains a database of users and their associated information, such as user ID, password, and network access privileges, including the VLANs the user can access. After the user account information is added to the AAA server database, when a user connects a laptop or other computer to an access switch, the access switch prompts for the user ID and password. After obtaining the credentials, the switch forwards them to the AAA server. The AAA server authenticates the user and directs the switch to place the associated switch port in the authorized VLAN. This limits user access to the authorized VLAN. If authentication fails, the user is denied access to any protected VLANs.
WAN Routers
A WAN router is a complex device that performs a wide variety of functions apart from Layer 3 forwarding of packets. It supports a variety of interface types and add-on modules to provide additional services such as voice call processing. This section describes the WAN router functionality and includes the following topics:

WAN Router with Integrated Switch, page 5-9 WAN Interface and Connection Types, page 5-10 Router DHCP Server, page 5-10 Router Authentication Server, page 5-10 WAN Router Security, page 5-11 WAN Router Quality of Service, page 5-12 WAN Router High Availability, page 5-12 Hot Standby Router Protocol, page 5-13 Network Address Translation, page 5-13
WAN Router with Integrated Switch

A router may have a switch integrated into its chassis to provide a single box solution for small businesses, or simply to reduce the component count in the network. The switch can serve as an access switch, or as an aggregation switch connected to multiple access switches. This can reduce cost by eliminating the need to purchase a dedicated aggregation switch.
5-9
Chapter 5 WAN Routers
WAN Interface and Connection Types

A router WAN interface can use a variety of WAN technologies as described in the Wide Area Network section on page 5-3. If no access from the public Internet is required to any server, then the WAN interface can dynamically obtain its IP address from the service provider network, using DHCP, Point-to-Point Protocol over Ethernet (PPPoE), PPP over ATM (PPPoA), or some another similar protocol. A PPP-based protocol authenticates the WAN router based on a user ID and password assigned to the WAN router and known by the service provider. The traffic can flow through the WAN link only after successful PPP-session establishment and the WAN interface gets an IP address as part of the PPP session negotiation. DHCP-based WAN interfaces do not need authentication, so in this case a user ID and password for the WAN router are not necessary. If access from the public Internet to any server is required, or if VPN connection is required, then it is recommended to ask the service provider to assign a static IP address to the WAN interface and provide additional static IP addresses for each server.
Router DHCP Server

In a small business network, the WAN router typically acts as the DHCP server, providing IP addresses dynamically to end-user devices such as PCs, laptops, and IP phones. As shown in Figure 5-1, the WAN router can be configured with the IP address pool 10.11.31.10 to 10.11.31.250 for the DATA VLAN and another pool 10.11.41.10 to 10.11.41.250 for the Voice VLAN. A laptop DHCP request is received by the router over the DATA VLAN on an interface with the IP address 10.11.31.1. Accordingly, the WAN router chooses an IP address from the pool 10.11.31.10 to 10.11.31.254 to match the subnet of the receiving interface (see Table 5-1). Typical DHCP options available for laptops include DNS server addresses, the default gateway address, and IP addresses for any server that is required by IP phones.
Router Authentication Server

A router can authenticate user passwords, if the required user IDs and passwords are stored in the router. This kind of password-based authentication is used to authenticate a VPN user, or when an administrator logs in to the router management interface. Storing and authenticating passwords in the router helps reduce the number of network devices by eliminating the need for an external authentication server. A router typically uses the RADIUS protocol for authentication.
5-10
Chapter 5
WAN Router Security

Some security features that can be implemented with the help of a router are described in the following topics:

Intrusion Prevention System, page 5-11 Guest Access, page 5-11 Spam Blocking, page 5-11 URL Filtering, page 5-11 Content Filtering, page 5-12
For more details about the security features on a router, see Appendix B, Network Security and Appendix C, Virtual Private Network (VPN) for Secure Connectivity.
Intrusion Prevention System

Cisco Intrusion Prevention System (IPS) helps mitigate the effects of common security threats, such as worms, network viruses, and context-based attacks by helping to detect, classify, and stop these threats. Although most of these threats are expected from the Internet, it is also possible to spread viruses or worms from inside the organization. IPS can be configured to offer bidirectional protection. With IPS, the signatures of a large number of known attacks are downloaded periodically to the router. If the router detects an attack, it drops the corresponding traffic.
Guest Access
This feature is typical with wireless access and limits traffic of visitors accessing the network to a specific VLAN. Thus, for example, visitors can have access to the Internet only, and not to local servers. It is typically deployed through configuration on the wireless LAN controller and the WAN router.
Spam Blocking
Spam blocking is a feature that is not implemented in the WAN router, but which supplements the WAN router security features. Spam blocking drops or quarantines spam e-mails, or adds a cautionary text in their subject lines. This mitigates the wastage of employee time due to unwanted e-mail. Specialized spam-blocking appliances are available for small businesses for this purpose. Alternatively, a third-party service provider can process all the e-mails for a small business to eliminate unwanted spam, and then forward valid e-mail to the small business. If this functionality is required, the router may need to be configured to support spam blocking.
URL Filtering
URL filtering is a feature that can be implemented in the WAN router or can be offloaded to external servers or provided by a third-party service. URL filtering allows a network administrator to create a list of URLs that should not be accessed by employees. The configuration is typically based on known malicious URLs that pose potential threats, or the business policy of the small business that prohibits access to certain kinds of websites from the business network.
5-11
Content Filtering
Content filtering is a feature that can be implemented in the WAN router or can be provided by a third-party service. Content filtering protects employees from web-based malware, adware, spyware, and phishing. Instead of specifying the exact URLs to block as in case of URL filtering, content filtering allows the administrator to specify a security rating, which is typically assigned to web pages by a third-party service provider. Any web pages that do not match the required security rating are blocked. In addition, the administrator can specify certain categories of web pages to block, such as violence, games, and adult content. Content filtering is typically a subscription-based service.
WAN Router Quality of Service

In most small business networks, the WAN router has a 100 Mbps or 1000 Mbps LAN interface, while the WAN interface bandwidth is much less. As a result, the router often receives more traffic from the LAN than it can send through the WAN. The WAN interface then becomes congested, and critical trafficsuch as routing, VoIP signaling, and real-time voice trafficcan be dropped. Congestion is not usually an issue with traffic sent from the WAN to the LAN because the LAN typically has more than enough bandwidth to handle the incoming traffic. QoS is configured on the router to prevent such traffic drops for important classes of traffic and to forward voice traffic with minimal delay. See Appendix A: Quality of Service for more details.
WAN Router High Availability

This section describes WAN router high availability features and includes the following topics:

Redundant WAN Links, page 5-12 Link Aggregation, page 5-12
Redundant WAN Links

Although network devices from reputable vendors are generally reliable, the WAN link failure rate varies among service providers and location. Therefore, providing redundant WAN links is often the first step to take for ensuring high availability. In this case, both WAN links could be leased lines, or one of them can be used for Internet access using xDSL. It is possible to balance the traffic across the two links, or to use each link for a specific traffic type. For example, one link may be dedicated to Internet traffic only, and the other link used for VPN traffic. If one link fails, the remaining link can carry both types of traffic. The traffic that the two WAN links carry individually during normal time and during a WAN link failure is governed by the routing policy configured on the router.
Link Aggregation
Link aggregation allows multiple physical links between two network devices to be bundled so that the bundled links behave like a single link. If one of the physical link fails, the remaining links still remain operational.
5-12
Chapter 5
Hot Standby Router Protocol

Hot Standy Router Protocol (HSRP) allows one router to act as a backup router, in case of the failure of another router. When two routers are configured with HSRP, the router that actively receives and forwards traffic is called the active router and the other router is called the standby router. If the active router fails, the standby router detects the failure and becomes active. A router can be configured to be an active router for the traffic received by some of its interfaces, and to be a standby for traffic received on other interfaces. It is also possible to have a network in which the primary WAN router is the HSRP active router for intersite traffic, while it is the standby router for Internet traffic. Conversely, the secondary WAN router can be the standby router for intersite traffic, while being the active router for Internet traffic. With this configuration, during normal network operations, the primary WAN router receives and forwards all intersite traffic, including voice over IP (VoIP), intersite data and so forth. If the primary router fails, then the secondary router becomes the active router for intersite traffic. Similarly, the secondary router normally forwards traffic to and from the Internet, but the primary router forwards the traffic if the secondary router is not operational. Virtual Router Redundancy Protocol (VRRP) and Gateway Load Balancing Protocol (GLBP) provide functionality that is similar to HSRP.
Network Address Translation

This section describes Network Address Translation (NAT) and includes the following topics:

Why NAT?, page 5-13 How NAT Works, page 5-14 Port Address Translation, page 5-16 Static NAT, page 5-16 NAT Inside the Payload, page 5-16
Why NAT?
NAT was developed to allow networks using private IP addresses to communicate over the Internet. As explained earlier in the Private IP Addresses section on page 3-14, you cannot send traffic using private IP address to the public Internet, because same the private IP address may be used by many networks that are all connected to the Internet, and each IP address must be unique. For example, consider three small businesses company1, company2, and company3, which are connected to the Internet as shown in Figure 5-2. Each laptop or PC at each of these businesses gets a private IP address from the same range (10.11.31.10 to 10.11.31.110). The WAN interface of each business has a public IP address as shown. Employees of each company can communicate using their PCs or laptops within each private network, because each computer has a unique private IP address. However, if a laptop with the IP address 10.11.31.40 at one company tries to send a message to 10.11.31.90 at another company, the packet cannot be sent. Instead, the data packet is sent to the local network. If the destination address were a private address with a different network ID, it might be sent to a public Internet router, but it would be dropped because a public Internet router does not accept or forward packets to a private IP address.
5-13
Figure 5-2
Use of Private IP Addresses by Businesses
Network with Private IP Addresses
Public IP address 209.165.201.8
Internet (does not know how to reach private IP addresses such as 10.11.31.10)
10.11.31.10 10.11.31.110 Public IP address 209.165.202.130 Public IP address 209.165.200.227
Small business 1
10.11.31.10 10.11.31.110
10.11.31.10 10.11.31.110
213074
Small business 2
Small business 3
How NAT Works

NAT allows networks with private IP addresses to communicate over the Internet by translating the private IP addresses to a public IP address (see Figure 5-3). NAT causes a router to translate the private source IP address to a public IP address when traffic is forwarded to the Internet. This can either be a fixed, preconfigured address or an address assigned from a preconfigured range of addresses. A router using NAT maintains a NAT table mapping private IP addresses and ports to public IP addresses and ports. This table helps the router to do a reverse translation of public IP address to private IP address on any returning traffic from Internet. When the response to a packet sent from the LAN arrives from the Internet, the router replaces the public IP address in the packet with its corresponding private IP address, as found on the NAT table, and forwards the packet to the private IP address. Thus the router acts as a translation agent for packets traveling from the network to the Internet.
5-14
Chapter 5
Figure 5-3
Network Address Translation
Internet
Destination IP Addr: 209.165.201.10 Destination port: 80 Source IP Addr: 209.165.200.227 Source port: 2200
Destination IP Addr: 209.165.200.227 Destination port: 2200 Source IP Addr: 209.165.201.10 Source port: 80
209.165.200.227 Public IP Address

Destination IP Addr: 209.165.201.10 Destination port: 80 Destination IP Addr: 209.165.200.227 Destination port: 1901 Source IP Addr: 209.165.201.10 Source port: 80
Source IP Addr: 209.165.200.227 Source port: 1901 10.11.31.10
Private IP Addresses assigned to laptops
Router NAT Table

Protocol Source IP Address & Port UDP TCP 10.11.31.10: 53 10.11.31.10:1901 Translated IP Address & Port 209.165.200.227: 38 209.165.200.227: 2200 Destination IP Address & Port
213075
209.165.202.130: 53 209.165.201.10: 80
Figure 5-3 shows an example of network translation when PCs or laptops from the private subnet 10.11.31.0/24 send traffic to the public Internet and the WAN router translates these IP addresses to the public IP address 209.165.200.227. The second line in the router NAT table shows the address translation when a laptop with IP address 10.11.31.10 opens a web page on a public Internet server with the IP address 209.165.201.10. In this case, the session established by the laptop is identified by TCP port 1901 at the source laptop and by TCP port 80, which is the well-known HTTP port, at the destination. As shown, the NAT router assigns an unused port 2200 to identify the source laptop, and creates the entry shown in the NAT table. It then substitutes the WAN IP address 209.165.200.227 and the port TCP port 2200 in the original IP packet and forwards it to the web server. When the response from the web server arrives, the IP packet has destination IP address 209.165.200.227, and TCP port 2200. The WAN router consults its NAT table, changes the destination address and port, and forwards the packet to 10.11.31.10 with TCP port 1901.
5-15
Port Address Translation

The type of NAT described in this example, where a range of IP addresses are translated to a single publicly routable IP addresses, is the most common form of NAT, known as NAT Overload, or Port Address Translation (PAT). When applying PAT, the router distinguishes between the different source addresses by assigning them an unused TCP/UDP port that is unique in the NAT table. It is called Port Address Translation because TCP/UDP ports are used to identify traffic to and from different private addresses.
Static NAT
Static NAT, also known as 1-to-1 NAT, translates a single private address to a single public IP address. Public servers, such as a web server or an e-mail server, that are assigned a private address on an internal network but are accessed from the public Internet, require a fixed, public IP address. In this case, the private IP address is translated to a unique, publicly routable IP address. For example, if you add an e-mail server with the IP address 10.11.31.22 and want it to be accessed from the Internet using the IP address 209.165.200.229, the router can be configured with a single static NAT entry that translates 10.11.31.22 to 209.165.200.229.
Note
It is also possible to translate an IP address from a range of private IP addresses to an IP address selected dynamically from a pool of public IP addresses. This is suitable when the number of devices is larger than the number of publicly routable addresses, but is not common for small businesses.
NAT Inside the Payload

NAT translates IP addresses in the IP packet header. However, many applications put IP addresses inside the IP payload as well. Applications that do this include the following:

IP telephony applications using Session Initiation Protocol (SIP) Audio or video applications using the H.323 protocol DNS
When performing NAT with these kinds of applications, the router must read and change the user data payload to translate the IP address. When selecting a router to perform NAT, you should understand the requirements of the applications deployed in your network, and routers from different vendors vary in their level of support for various types of NAT. The NAT recommendations for a small business network are as follows:
Use PAT/NAT overload for the subnets used by PCs and laptops. The following information is typically needed to configure PAT/NAT overload:

IP subnet of the PCs/laptops (and/or the range of IP addresses in this subnet) IP addresses to exclude from NAT (for example they may be assigned to network devices that do not access the Internet) Public IP address (the WAN interface IP address) to which the private IP addresses are to be translated.
5-16
Chapter 5
Network Architecture for a Small Business Network Management
No NAT is needed for a server accessible by employees unless it is accessed from the public Internet. This is true even if the server is accessed using a private IP address by employees from various locations using a VPN connection. Use static NAT for servers that can be accessed from the public Internet (e-mail, HTTP, and so forth). The following information is typically needed to configure NAT for a server that is accessed from the public Internet:

Fixed private IP address assigned to server Fixed public IP address assigned to server
Network Management
Network management includes the following operations:

Network device provisioning, which consists of adding new devices, services, and users Administration, which determines the assignment of network resources Configuration Monitoring Maintenance
These activities can be performed manually or automatically using a variety of tools, which are described in the following topics:

Web-Based Management Tools, page 5-17 Command-Line Interface, page 5-17 Simple Network Management Protocol, page 5-18 WAN Router Universal Plug and Play, page 5-18
Web-Based Management Tools

A good web-based or other GUI management tool simplifies network management with a simple user interface that does not require specialized knowledge of the command line interface for each network device. Setup wizards are often provided to help with the installation and initial configuration of the network devices, by prompting the administrator for the information required.
Command-Line Interface
Network management using a command-line interface (CLI) may not be available on all network devices as some devices support only web-based or other GUI management tools. Although CLIs typically require some specialized training or extensive experience, the CLI often provides more granular configuration for network devices. Also, the CLI configuration can typically be saved and transferred from one device to another, which simplifies and standardizes the configuration of similar devices.
5-17
Chapter 5 Network Management
Simple Network Management Protocol

Simple Network Management Protocol (SNMP) is a standard protocol that exists in three versions: version 1, version 2, and version 3. SNMP is used to gather and distribute information about network devices and to remotely change the configuration of network devices. SNMP-enabled network devices can be monitored, configured, and administered from another device in the network, typically through a network management application.
WAN Router Universal Plug and Play

Network devices that support Universal Plug and Play (UPnP) automatically connect with one another and work together over a network. Defined by the UPnP Forum, the UPnP standards aim to simplify network configuration by letting a device automatically discover other devices, learn their capabilities, get its IP address, connect with other devices, and work without any user configuration. UPnP is very suitable for small networks found in homes or in small businesses. For example, adding a network storage device (NAS) or a video surveillance camera is simplified if both the NAS and the device support UPnP. Adding these devices also updates the WAN router configuration as necessary so that the devices can communicate with the network. Windows XP and Vista are UPnP capable. UPnP uses the TCP/IP protocols, HTTP, and XML. Because it is built on top of the TCP/IP protocol suite, UPnP can work with any networking media, such as Ethernet or wireless networks, that are supported by TCP/IP. If a UPnP device needs to be accessed from the Internet, then the firewall needs to be configured to allow access. In addition, unless the WAN router NAT is capable of translating IP addresses within the IP packet payload, the UPnP device must learn the public IP address of the WAN router and use its IP payload in place of its own private IP address. These are often done automatically as well, depending on the UPnP capabilities of the device and the WAN router. For UPnP to function, both the network-attached device as well as the WAN router must support UPnP. Due to these dependencies, this technology is more suitable for very small networks.
Other Management Tools

Several management tools can detect network anomalies and notify the administrator using e-mail. Other tools useful for network management include the Ping command, which uses the Internet Communications Management Protocol (ICMP), and syslog servers that store activity and error logs for network devices.
5-18
CH A P T E R
IP Telephony Infrastructure
This chapter describes specific aspects of the network infrastructure required for implementation of IP telephony. This chapter includes the following sections:

Voice-Specific VLAN, page 6-1 Power over Ethernet, page 6-1 Quality of Service for IP Telephony, page 6-1 Unified Communication Management, page 6-3
Voice-Specific VLAN
It is recommended that voice components in the network be placed in a separate VLAN, to separate voice traffic from other traffic, and to allow voice-specific policies to be applied to the voice traffic.
Power over Ethernet

Power over Ethernet (PoE) is a switch feature that allows the switch to provide electrical power to IP phones and other low-voltage devices through the Ethernet cable. This eliminates the need for separate power supplies for the IP phones, simplifies deployment, and reduces cable clutter.
Quality of Service for IP Telephony

IP telephony traffic can be classified into voice bearer traffic (the actual voice data in digitized form) and call signaling traffic, which includes the messages and signals between IP telephones and the voice gateway. The quality of service (QoS) requirements for these two traffic classes are summarized in Table 6-1.
6-1
Chapter 6 Quality of Service for IP Telephony
Table 6-1
IP Telephony Quality of Service (QoS)
Voice Bearer Traffic Max end-to-end packet delay <150 ms for best voice <250 ms for inter-regional calls may be of acceptable quality to most users. (ITU-T G.114) Assuming a codec that can conceal the effect of a single packet loss, but not the loss of two consecutive packets:
Voice Signaling Traffic Does not require as strict delay bounds as bearer traffic, but long delay would slow down call establishment. Packet loss should be recognized, and the packet is transmitted again.
Max percentage of packet loss
1% packet loss generates an audible voice glitch every 3 minutes, on average. 0.25% packet loss generates a glitch every 53 minute,s on average. N/A
Max jitter (delay variation)
< 30 ms recommended
As can be seen, voice bearer packets are very sensitive to packet delay, loss, and jitter. Voice signaling traffic is sensitive to packet loss, but can accommodate some amount of delay and jitter. Keeping these requirements in mind, the network should be designed to provide proper QoS to these two voice-related traffic classes. The typical QoS treatment for these traffic classes in the configuration of the router are shown in Table 6-2.
Table 6-2 Typical QoS Functionality in a Router
Router QoS Traffic marking
Voice Bearer Traffic Traffic is assumed to be already marked with DSCP CS5 (or IP precedence 5)
Voice Signaling Traffic Traffic is assumed to be marked with DSCP CS3 or AF31 (or IP Precedence 3). If the router itself generates signaling traffic (Unified Communication Manager is part of the router), then the router should be able to mark the signaling traffic.
6-2
Chapter 6
IP Telephony Infrastructure Unified Communication Management
Table 6-2
Typical QoS Functionality in a Router (continued)
Router QoS Queuing
Voice Bearer Traffic Priority queue (voice bearer traffic is forwarded by the router before any other traffic, to minimize delay and packet loss) Voice bearer traffic is ideally restricted to use not more than 33-40% of the WAN bandwidth (to avoid voice bearer traffic to use the whole line rate, starving other traffic classes)
Voice Signaling Traffic A minimum bandwidth of about 5-10% line bandwidth is guranteed to this traffic during congestion, so that packets are not dropped. N/A
Rate-limiting
The QoS features that the router must support to support IP telephony include the following:

Priority queuing Class-based weighted fair queuing (CBWFQ) Policing features to support IP telephony
See Appendix A, Quality of Service for details. The features that the switch must support to support IP telephony include the following:

Priority queuing Weighted round robin (WRR) Shaped round robin (SRR) Queueing Policing/marking features to support IP telephony
(see Appendix A, Quality of Service for details)
Unified Communication Management

In larger networks, a dedicated Cisco Unified Communication Manager Server is used to manage call processing. However, small business networks often prefer the Cisco Unified Communication Manager functionality integrated within the WAN router, to minimize the number of network devices and limit costs. An integrated Unified Communication Manager provides similar functionality to a dedicated server, and provides sufficient capacity for small business networks. Apart from QoS, there are additional requirements for implementing Unified Communication Manager, such as call control and call admission control, but these are outside the scope of this document.
6-3
Chapter 6 Unified Communication Management
6-4
CH A P T E R
Infrastructure Requirement for Wireless LAN

A complete description of a wireless LAN (WLAN) implementation is outside the scope of this document. However, this chapter provides a short description of the wired infrastructure required for implementing a WLAN. It includes the following sections:

Overview, page 7-1 Wireless Devices, page 7-1 Separate VLANs for Wireless Traffic, page 7-2 Quality of Service, page 7-2 WLAN Security, page 7-3
Overview
A WLAN is typically used for the following purposes in a network:

To connect employee laptops wirelessly to the office network, allowing the employees to be mobile within the office For deploying wireless IP phones in the office To allow visitors to access the Internet wirelessly through the office network, but preventing or limiting access to office resources
The network features required to support a WLAN are described in the following sections.
Wireless Devices
For adding a WLAN to a wired network, the network must have two types of specialized wireless devices, which are briefly described in this section:

Wireless Access Point, page 7-1 Wireless LAN Controller, page 7-2
Wireless Access Point

A wireless access point (AP) includes a wireless transmitter and receiver to send and receive traffic to and from other wireless devices such as laptops, wireless IP phones, and wireless video cameras.
7-1
Chapter 7 Separate VLANs for Wireless Traffic
Because a limited number of users are supported by a single AP, a network may need more than one AP depending on the number of users and their geographical distribution. An AP is typically attached to a switch, but can be directly attached to a router as well. In a small business network, the AP may be integrated with a router to reduce the number of devices and to reduce cost.
Wireless LAN Controller

The wireless LAN controller is needed if the network supports multiple subnets and allows a user to roam from one to another while maintaining a wireless connection. The wireless LAN controller also helps authenticate users and can automatically place guests in a separate VLAN to restrict access to sensitive network resources. APs forward their traffic to the wireless LAN controller if present in a network, and the controller then forwards the traffic to the appropriate subnets. The wireless LAN controller is typically connected to the aggregation switch or to a router.
Separate VLANs for Wireless Traffic

Separate VLANs for traffic to and from wireless APs is necessary in any of the following situations:

Wireless LAN controllers are used to deploy seamless roaming across multiple IP subnets. Guest access functionality is deployed to separate guest traffic from other traffic. Guest access is typically provided in a wireless network in conjunction with a wireless LAN controller.
Quality of Service
If voice applications are deployed in the wireless network, such as wireless IP telephones, QoS in the wireless as well as the wired network becomes important. In this case, the wireless APs must implement Wireless Multimedia Extensions (WMM) to perform QoS in wireless media. WMM classifies and marks wireless traffic and provides QoS to traffic classes, including the following:

Voice Video Best effort
These markings may not exactly match traffic marking for corresponding traffic classes in the wired network. Therefore, the WMM traffic classifications and markings must be mapped to each other either by the AP, or by the switch to which the AP is connected.
7-2
Chapter 7
Infrastructure Requirement for Wireless LAN WLAN Security
WLAN Security
Because wireless is a broadcast medium, anyone can send or receive data over the media, so security in a WLAN is especially important. Security in a WLAN requires the following components, which are important due to the inherent lack of security in the technology used for wireless signaling (physical layer):

Authentication, page 7-3 Data Encryption, page 7-3
Authentication
User authentication prevents unauthorized access to network resources. An AP or a wireless LAN controller may support several types of authentication that are used by clients to connect to the WLAN. The 802.11 specification describes methods for authenticating WLAN clients, including the following:

Open authenticationConsists of two messages, which are the authentication request and the authentication response. Shared key authenticationRequesting client and AP to be configured with a static key. MAC address authenticationAP is associated to a list of permitted MAC addresses. 802.1X-based authentication, such as EAP, PEAP, TLS, and TTLS.
The IEEE 802.1X standard provides a framework for many authentication types and the link layer. On receiving wireless traffic from a client, an 802.1x-enabled AP authenticates the client from an authentication server (for example, a RADIUS server). The client is allowed to send data only if the authentication is successful.
Data Encryption
A WLAN supports several types of encryption methods that are used by clients with authentication methods to connect to the AP. The following are some of the encryption methods commonly used in WLANs:

Wired Equivalent Privacy (WEP). Cisco WEP Extensions (Cisco Key Integrity Protocol with Cisco Message Integrity Check). Wi-Fi Protected Access (WPA) / Wi-Fi Protected Access 2 (WPA 2).

Pre-shared key can be configured. TKIP and CCMP (AES) encryption are supported. Uses RADIUS to authenticate clients for WPA or WPA2. TKIP and CCMP (AES) are supported.
Wi-Fi Protected Access (WPA) / Wi-Fi Protected Access 2 (WPA 2) Enterprise.

WPA2 with AES encryption is recommended, because it provides better security. For a comprehensive review of 802.11 wireless LAN security and the Cisco Wireless Security Suite, see the link for the Wireless LAN Security White Paper located at the following website: http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a0 0800b469f_tk809_TSD_Technologies_White_Paper.html
7-3
Chapter 7 WLAN Security
7-4
A P P E N D I X
Quality of Service
This appendix describes quality of service (QoS) concepts and mechanisms. It includes the following sections:

Overview, page A-1 Traffic Classification, page A-2 Traffic Marking, page A-3 Traffic Policing, page A-4 Traffic Shaping, page A-4 Queuing, page A-5 QoS in a Switch, page A-6 QoS in a WAN Router, page A-6 Advanced QoS, page A-7
Overview
Quality of service (QoS) is a set of features that help manage packet loss, transmission delay, and jitter for different types of traffic such as voice, video, critical business data, and Internet browsing traffic. The following are some useful definitions:

Packet lossThe percentage of packets the network does not deliver. DelayThe time it takes a packet to reach its destination after being transmitted from the sending endpoint. In the case of voice traffic, a useful measure is the mouth-to-ear delay, which is the total time it takes for sound to pass from speaker to listener. Delay variation (jitter)The difference in the end-to-end delays between packets. For example, if one packet required 100 milliseconds (ms) to traverse the network from the source to the destination and the following packet required 125 ms to make the same trip, then the jitter would be calculated as 25 ms.
Voice and video-based applications require packet loss, delay, and jitter to be kept within certain limits. QoS is essential in networks deploying voice or video applications to ensure that these limits are respected. QoS can also provide better bandwidth guarantees to business-critical data, so that transmission of financial information gets a higher priority than casual Internet browsing. If a network provides only Internet access for browsing and Internet based e-mail, then the network does not need QoS. However, even in this case, it is better to deploy QoS-capable network devices for investment protection, because QoS is likely to be required as the network grows.
A-1
Appendix A Traffic Classification
Quality of Service
The following sections describe the basic techniques used by network devices to provide QoS to various traffic types.
Traffic Classification
Because QoS treats different types of traffic differently, the first step is to classify traffic into various traffic classes such as voice traffic, signaling traffic, critical business application traffic, and all other traffic. Any number of traffic classes can be used, depending on how granular you want your QoS policies to be. A network device can classify traffic according to any of the following methods:

Port on which the traffic is received. For example, all traffic from a switch port connected to a video camera would belong to the video traffic class. Value of one or more fields in a packet. For example, the source and destination IP address or field values set by the application generating the traffic. Upper layer (Layer 4 to 7) information contained in the packet. For example, the TCP/UDP port used for the session is often used to identify an application. Some common application protocols and ports are summarized in Table A-1. IP Precedence or DSCP fields of the IP packet, or the CoS field in an Ethernet frame. This assumes that the packet has been already classified by the traffic source or another network device, which might be directly attached to the traffic source. The traffic classification is written to the fields in the IP packet or Ethernet frame that are reserved for this information.
Common Application Protocols and Ports
Table A-1
Application E-mail (SMTP traffic) WWW (HTTP) Secure HTTP (HTTPS) Telnet Domain Name System
Layer 4 Protocol TCP TCP TCP TCP TCP/UDP
Layer 4 Port 25 80 443 23 53
After being classified, the traffic can be processed by QoS mechanisms, such as policing, queuing, and so forth, that work with classified packets. Although traffic can be classified in any way necessary, some common traffic classes include the following:

Voice traffic Video traffic Signaling trafficTraffic used to manage network connections, such as those required to set up IP phone calls, or video and teleconferencing sessions Routing and internetworking trafficTraffic between network devices used for communication among the network devices Critical business applications Best effort trafficTraffic, such as casual Internet browsing, that is not provided any QoS guarantee, so the traffic is most susceptible to packet loss, delay, and jitter in a congested network
A-2
Appendix A
Quality of Service Traffic Marking
Traffic Marking
After a packet is classified as belonging to a traffic class, such as voice or best effort, the packet can be marked to indicate the traffic classification (see Figure A-1).
Figure A-1 Traffic Marking in Ethernet Frames and IP Packets
Ethernet 802.1q Frame: CoS Bits in VLAN TAG

Destination Address Source Address Type/ Length TAG 4 Bytes
Data
FCS
3 bit CoS (802.1p User Priority)
Priority
CFI
VLAN ID
802.1Q/p Header
IPv4 Packet Header: DSCP and IP Precedence Bits in ToS Byte

Other Fields ToS Byte Other Fields
0
213076
IP Precedence
Unused Bits IP ECN
DiffServ Code Point (DSCP)
Note
There are cases in which the traffic marking is local to the network device classifying the traffic, but the marking is not placed in the packet itself. Marking the packet or frame occurs by modifying the IP Precedence or DSCP in the IP header and the CoS bits in an 802.1q Ethernet frame. The packet or frame should be marked as close to the traffic source as possible. For example, if you have an IP phone, it is best for the IP phone to mark the IP precedence or DSCP of all the packets it generates. Marking at the source distributes the work across many sources rather than relying on a few network devices. It also simplifies traffic classification because classifying a packet farther from the source requires more complex and inefficient packet inspection, such as inspecting the Layer 4 protocol, port, source IP address, or in some cases, application-specific information.
Note
One of the important device selection criteria for devices such as IP phones, video surveillance cameras, network storage servers (NSS) and so forth, is their traffic-marking capability.
A-3
Appendix A Traffic Policing
Quality of Service
Traffic Policing
Traffic policing, also known as rate limiting, measures traffic rate for a traffic class and drops traffic that exceeds a specified rate. For example, policing can ensure that voice traffic coming into a switch or router through a specific port or interface does not exceed 300 kbps. Policing does not buffer traffic that exceeds the policing rate; it simply drops any excess traffic. However, some devices can mark the excess traffic as best effort, which means there is no QoS guarantee. Although the policing device may drop packets, it does not delay any packet that it does transmit. This makes policing a suitable mechanism for enforcing a maximum rate for delay-sensitive traffic, such as voice. However, actually dropping voice traffic is detrimental to voice quality. Policing is used with voice traffic only to enforce a traffic limit that is normally not expected to be exceeded. Traffic shaping, which is described in the following section, has different characteristics.
Traffic Shaping
Like traffic policing, traffic shaping imposes a maximum bandwidth on a traffic class. However, instead of dropping the excess traffic, it stores the excess traffic in a queue (see Figure A-2). Incoming packets are placed in the queue and packets from the head of the queue are taken out and transmitted at the shaped rate.
Figure A-2 Traffic Policing vs. Traffic Shaping
Policing Policing
Traffic Volume
Traffic Rate
Traffic Volume
Traffic Rate Traffic Exceeding configured rate is dropped
Time
Time
Traffic Volume
Traffic Rate
Shaping
Traffic Volume
Traffic Rate Traffic is buffered and Smoothed Potentially results in increased latency
Time
Time
With traffic shaping, as long as there is no traffic congestion, the queue remains empty, and incoming packets are immediately transmitted. However, when the incoming traffic rate exceeds the shaped rate, a queue is formed. If the queue becomes full, excess packets are dropped.
A-4
213077
Appendix A
Quality of Service Queuing
If the incoming traffic rate decreases before the queue is full, then the packets from the queue are removed from the queue and transmitted. This type of buffering smooths out the traffic, as shown in Figure A-2. Although this is beneficial in many cases, the packets that are buffered are delayed. Therefore, shaping may delay packets during congestion, and that makes it unsuitable for certain delay-sensitive traffic, such as voice traffic. The general recommendation is to avoid shaping delay-sensitive traffic, such as voice. For rate limiting voice traffic, policing is generally recommended. However, rate limiting through shaping provides better throughput than policing for traffic from applications that are not delay sensitive.
Queuing
If a network interface is uncongested, then packets are transmitted in strict First-In-First-Out (FIFO) order. However, if a network device, such as a router or switch, receives packets faster than they can be transmitted on any interface or port, the excess packets may be placed in a queue (see Figure A-3). Packets from the head of the queue are transmitted first. Packets that the network device wants to transmit through the interface are added to the tail of the queue. If there is no traffic congestion, the queue remains empty. As congestion increases, the queue size grows. There is a finite limit to the queue size. If there is sustained congestion, the queue fills up and excess packets are dropped. This description applies to a single queue associated with an interface. Often, there are multiple queues for an interface, one per traffic class as shown in Figure A-3. A queuing scheduler is an algorithm that identifies the packet from each queue to transmit next and it can consider the traffic class. Traffic of a higher priority class can be given higher transmission priority, or can be assigned a minimum assured bandwidth during congestion.
Figure A-3 Queuing Process
Forwarded Packets
Traffic Class 1?
Queue 1
Queuing Scheduler
Traffic Class 2?
Queue 2
Interface
Default Class?
Default Queue
Different queuing policies may be configured to determine the order in which packets should be transmitted from each queue:
Weighted Round Robin (WRR)Each traffic class can be assigned a minimum bandwidth guarantee during congestion. Any unused bandwidth for a specific traffic class can be shared with other classes. An example of WRR is class-based weighted fair queuing. Shaped Round Robin (SRR)Each traffic class can be assigned a reserved bandwidth guarantee that no other traffic class can use. Any unused bandwidth assigned to a traffic class is lost.
213078
A-5
Appendix A QoS in a Switch
Quality of Service
Priority queuing (PQ)One queue is assigned the highest priority by the queuing scheduler. Every packet in this queue is transmitted before any packet in any other queue. WRR scheduling can be applied after the priority queue is empty. An example of such priority queuing is Low Latency Queuing (LLQ), sometimes called PQ/CBWFQ. Priority queuing ensures that the traffic class to which it is applied has minimum delay. Priority queuing is recommended for delay-sensitive traffic, such as voice.
QoS in a Switch
QoS in a switch is implemented by hardware. Typically, a fixed number of hardware queues (two to four) are provided on the QoS-enabled switches used in small business networks. Each switch port has its own set of hardware queues. If there are more traffic classes than there are hardware queues, then multiple traffic classes are assigned to the same queue. The QoS switch features include the following:

WRR queuing with hardware queues SRR queuing with hardware queues Priority queuing is necessary in a switch to support applications, such as voice Policing, if traffic is to be rate limited Marking incoming traffic If multiple traffic classes are placed in the same queue because the number of queues is less than the traffic classes used, some facility is required to drop traffic of one class before dropping traffic of other classes in the queue.
802.1q trunking, with the ability to mark CoS based on IP precedence/DSCP and vice versa
Not every switch provides all the required functionality. Switches with good QoS features are recommended, particularly if applications such as voice or video are deployed at any time.
QoS in a WAN Router

In most small business networks, the WAN router has a 100 bps or 1000 Mbps LAN interface, while the WAN interface bandwidth is much less than 100 Mbps. This often creates a situation in which the router receives more traffic from the LAN than it can send through the WAN. As a result, the WAN interface becomes congested, and critical traffic, such as routing information, VoIP signaling, and real-time voice traffic may be dropped. Congestion is not typically an issue for downstream traffic sent from the WAN to the LAN because the LAN has more than enough bandwidth to handle the incoming traffic. To prevent traffic drops due to congestion on the WAN interface, specific traffic classes must be designed and an adequate amount of bandwidth must be assigned to each class to ensure that all traffic is provided with the necessary QoS. Table A-2 presents the minimum required traffic classes necessary for a small business, assuming voice service is to be deployed. The QoS features are not required if voice service is not deployed.
A-6
Appendix A
Quality of Service Advanced QoS
Table A-2
Traffic Classes and Their QoS Attributes
Traffic Class Real time Signaling Routing
Description Voice bearer
IP Precedence 5
DSCP EF (Expedited Forwarding) CS6
Queuing Type Priority Queuing (PQ) CBWFQ
Minimum Bandwidth Guarantee (in percent of interface bandwidth) 33 to 50% 5 to10% 5 to10%
Voice signaling 3 Routing, VPN control plane traffic Data traffic 6
AF 31 (or CS3) CBWFQ
Best effort
CS0
CBWFQ
Remaining bandwidth after other queues have been serviced
Note
Additional classes for other applications can be added as needed. The QoS policy is applied on any interface on the router that has potential for traffic congestion.
Advanced QoS
This section describes some advanced QoS features and includes the following sections:

Hierarchical Queuing, page A-7 Weighted Random Early Detection, page A-7
Hierarchical Queuing
Hierarchical Queuing is essential if the service provider contract allows a WAN bandwidth that is less than the bandwidth of the WAN interface. For example, if the contract is for 6 Mbps of traffic over a Fast Ethernet WAN link (which can forward at the rate of 100 Mbps), the service provider is likely to drop traffic it receives over the 6 Mbps contractual rate. This can drop voice and video packets. Therefore, instead of sending traffic at full line rate to the service provider, it is better to shape the traffic through the WAN interface to 6 Mbps (the contractual rate). Different traffic classes should get the appropriate bandwidth using the queuing mechanism, calculated based on the contractual bandwidth. This type of queuing within shaped output is known as hierarchical queuing.
Weighted Random Early Detection

Weighted Random Early Detection (WRED) helps to improve network performance for TCP-based traffic by randomly dropping packets of TCP connections before network congestion occurs. Without WRED, when the queue gets full, all further incoming packets are dropped. This sudden spurt in packet drops may affect a large number of TCP applications. These applications will be forced to drastically reduce their sending rate, and then gradually increase it again. When the sending rate exceeds a certain limit, the queue drops the packets and the same TCP behavior is repeated.
A-7
Appendix A Advanced QoS
Quality of Service
WRED alleviates this issue. Drop probability can be applied to traffic of different classes. The probability of being dropped is based on the relative importance of the traffic. WRED is recommended on an interface, such as the WAN interface, that transports a large number of TCP sessions.
A-8
A P P E N D I X
Network Security
This appendix describes network security, which is critical to protect a business and its resources from various threats, such as viruses, worms, and denial-of-service (DoS) attacks. This appendix includes the following sections:

Infrastructure Protection, page B-1 Firewall Policy Enforcement, page B-2 Enhanced Stateful Packet Inspection, page B-5 Allowing Specific Traffic Types through the Firewall, page B-6 Mitigating DoS Attacks, page B-7
When a comprehensive security strategy is implemented, protective measures can be implemented to identify, prevent, and effectively mitigate security threats. This section introduces the general areas of network security including infrastructure protection and firewall policy enforcement. Virtual private networks are described in Appendix C, Virtual Private Network (VPN) for Secure Connectivity..
Infrastructure Protection
Network infrastructure components, such as routers, switches, and network servers, are often targets of attacks that can affect business operations. Security tools and best practices help protect each network component and the infrastructure as a whole and help ensure network availability. The following are general recommendations for protecting the network infrastructure components.
Control administrative access to the network device:
To prevent unauthorized persons from accessing network devices, administrative access can be controlled by allowing only secure access using the local console, Telnet, HTTPS, or SSH, and by limiting the number of administrators. In addition, administrative access can be limited to specific interfaces or IP subnets, wherever practical. Administrator passwords as well as other passwords on the device, such as VPN user passwords, must be encrypted. Strong passwords should be used with at least six characters and a mix of letters, digits, and special characters. If supported by the router, it is helpful to limit the administrative login rate and number of log-in retries to help prevent unauthorized access to the router.
B-1
Appendix B Firewall Policy Enforcement
Network Security
Unless actually required in a deployment, disable the following services, which can potentially pose security threats if they are enabled on the router:

IP source routing IP BOOTP server CDP Directed broadcast finger TCP Small Server UDP Small server IP redirect IP proxy ARP IP Gratuitous ARP IP unreachables MOP service PAD service SNMP Traffic to or from the public Internet with private destination IP addresses. Traffic to from the LAN to the router without the correct source address (for example, a public Internet address). Traffic that does not arrive on the expected interface, per the routing table. This prevents attackers using the wrong IP addresses from accessing the network. Enable Unicast Reverse Path Forwarding (uRPF), which performs this check, or any equivalent router feature that is available.
Drop unexpected traffic, including the following:

Log errors and eventsThe network device must log errors, and the identity of persons accessing the device, and other events, so that security threats are easier to detect.
Firewall Policy Enforcement

Firewall policy enforcement defines the acceptable and unacceptable traffic flows to network resources and other devices attached to the network and allows only acceptable traffic into the network. For example, a typical firewall allows an employee of an organization to browse the Internet, but may block someone from the public Internet from accessing an employee PC. Although a dedicated firewall appliance can be used to enforce firewall policies, to reduce cost and number of network devices, a small business network can use the WAN router itself to enforce the firewall policies. Conceptually, the firewall policies divide the network interfaces of a router into different security zones, and define rules to allow or block traffic between these zones (see Figure B-1). Different routers may use different methods to define these zones. Some may explicitly assign zone names to router interfaces and specify specific traffic permission rules between zone pairs, some may apply a security level to each interfaces with implicit traffic permission rules, while others may name their interfaces specifically as a
B-2
Appendix B
Network Security Firewall Policy Enforcement
LAN interface, WAN interface, and DMZ interface with default rules. However, all these different implementations have either built-in traffic permission rules between zones, or allow an administrator to create or edit zones and their rules.
Figure B-1 Typical Firewall Security Zones
Internet
Outside zone WAN interface
Internet
Outside zone WAN interface
DMZ zone WAN Router

LAN inside Interface zone LAN inside Interface zone
DMZ Interface Servers accessible from Internet (e-mail server, HTTP server etc.)
DMZ zone
Figure B-1 shows three firewall security zones in a router. The first two zones, at least, are required by the simplest firewall policy:

Inside zonePCs, laptops, and other end-user devices such as printers, scanners, and network storage servers that are connected to the LAN are placed in the inside zone. Outside zoneThe WAN interface is placed in the outside zone. DMZServers accessed from the public Internet are placed in the DMZ.
The rules for the inside and outside zones are defined so that employees can access the public Internet, but someone from the public Internet cannot access PCs or other LAN devices and resources. If servers are accessed from the public Internet, such as web servers or e-mail servers, an additional zone, called the Demilitarized Zone (DMZ) is required. This zone allows you to apply firewall rules that help prevent the servers from being used to stage a security attack on the inside zone. This potential exists because these servers can be accessed from the public Internet. After defining the required security zones, there are typically three types of firewall policies that can be applied to traffic passing between two different zones, such as the inside and outside zone in the current example:

PASSAllow all traffic, or allow selected traffic between the two zones. DROPDrop all traffic, or drop selected traffic between the two zones. InspectAllow members of one zone to initiate sessions of selected traffic to the other zone, and also allow return traffic. This is also known as stateful packet inspection. A session is essentially a single TCP or UDP connection using a specific application port, or an ICMP (ping) packet and the response.
Traffic can be selected using access control lists applied to the router interfaces, or by any other means supported by a specific router.
213079
Basic Firewall
Firewall with DMZ
B-3
Appendix B Firewall Policy Enforcement
Network Security
Firewall Policies for Internet Access

The firewall policies for a deployment offering only public Internet access service are very simple. Access from the public Internet to employee laptops and other LAN resources in the inside zone must be prevented. Therefore, the policy for outside zone to inside zone traffic is to drop all. The typical policy for inside zone to outside zone traffic is to inspect all. This allows an employee to initiate a session to the public Internet in the outside zone, and the router allows return traffic for the session from the Internet to the employee laptop. These policies are summarized in Table B-1.
Table B-1 Typical Policies for Security Zones
To Inside Zone From inside zone From outside zone Allow Drop
To Outside Zone Inspect Allow
A router, particularly one that is intended for use in small networks, may have specific ports marked as WAN port, LAN port and provide these firewall policies, by default. The administrator simply selects the traffic to be passed, dropped, or inspected.
Firewall Policies for the DMZ

As mentioned earlier, a DMZ zone is necessary only if a server in the network can be accessed from the public Internet. These servers should be placed in the DMZ. Because servers in the DMZ are accessed from the Internet, there is a possibility that they may be hacked. When compromised, such a server can itself infect or attack network devices and user PCs or laptops connected to the network. To prevent this, DMZ policies allow sessions to be initiated to the DMZ server from the Internet (outside zone) or by employees (inside zone), and allow return traffic by applying the inspect policy. However, no sessions can be initiated by the servers or any other device in the DMZ. Table B-2 summarizes typical firewall policies for a network with a DMZ.
Table B-2 Typical DMZ Security Policies
To Inside Zone From inside zone From outside zone From DMZ zone Allow Drop Drop
To Outside Zone Inspect Allow Drop
To DMZ Zone Inspect Inspect Allow
A router, particularly one intended for small networks, may have specific ports marked as WAN port, LAN port, and DMZ port, and provides these firewall policies by default with options to edit the policies and select the traffic allowed between the zones. This type of firewall minimizes the configuration required to implement a simple firewall policy.
B-4
Appendix B
Network Security Enhanced Stateful Packet Inspection
Additional Firewall Zones

Some routers offer greater flexibility to explicitly configure multiple zones and the firewall policies. These routers allow configuring additional zones, which may be required in specific cases. Some additional security zones and their possible uses include the following:
Local-services zoneSome deployments may implement more granular zones to differentiate between different types of servers, such as those accessed from the public Internet (DMZ zone), and those accessed only by the employees (possibly over a VPN). Such servers include RADIUS servers, local DNS servers, and servers that control voice calls. These servers are placed in the Local-services zone. The inside zone can initiate traffic to this zone. This zone cannot initiate traffic to any other zone, except possibly the self zone, as required. VPN zoneVPN connections may be placed in a separate zone to differentiate firewall policies between local users and users connected through a VPN. This is useful to restrict VPN users from accessing some services when connected through a VPN. When such restriction is not necessary, the VPN users can be placed in the inside-zone instead. Self zoneThe self zone is the router itself, controlling traffic intended for the router. For example, a remote location may establish an IPSec VPN session with the router, an administrator may access the router using Telnet, HTTPS, or SSH, or a PC/laptop may obtain an IP address through DHCP from the WAN router. Access to this zone is typically restricted using access control lists or other mechanisms.
Enhanced Stateful Packet Inspection

Stateful packet inspection works for TCP, UDP sessions, and ICMP requests and responses. A firewall may also examine additional information in certain protocols to allow proper operation of the application or to detect potential threats. A firewall can detect and monitor additional connections generated by the initial connection. Some applications generate additional TCP or UDP connections after the initial connection has been established. In such a case, the firewall needs to monitor these additional connections along with the original one. For example, when a file transfer is requested by an FTP application, the requester establishes a TCP connection with the FTP server. After that, the server opens a new TCP connection, using a different TCP port to transfer the file. When FTP traffic is inspected, the firewall should automatically detect the new connections and allow the traffic to enter the firewall. Otherwise, file transfers will be interrupted. Other, similar examples include the following:

H.323 sessions from NetMeeting Applications using the Real-time Session Protocol (RTSP), including:

Cisco IP/TV Real Networks RealAudio G2 Player Apple QuickTime
In all these cases, the firewall automatically detects additional sessions as they are created and allows the traffic from the sessions through the firewall. The firewall allows the administrator to specify the applications that should be allowed.
B-5
Appendix B Allowing Specific Traffic Types through the Firewall
Network Security
A firewall can also intelligently examine data exchanges to detect potential application-specific threats. A firewall may examine the data exchange in a session to determine the potential for a specific threat and take suitable action as necessary, including breaking the connection. For example, HTTP inspection offers Java Applet filtering to block malicious content in HTTP traffic. When malicious content is found, the packets are dropped. Firewalls may also examine traffic of many other protocols such as those used for e-mail (SMTP, ESMTP, POP3, or IMAP), or by IP telephony applications (SIP and SCCP) to detect and prevent unwanted traffic.
Note
The level of security provided by a firewall depends on the protocols it can analyze. This is an important consideration when choosing a firewall device.
Allowing Specific Traffic Types through the Firewall

Although a firewall typically prevents any session from being initiated from the Internet to the router, exceptions occur for certain well-known traffic types. Examples of this type of traffic control are shown in Table B-3 and Table B-4. Making these kind of controlled exceptions is sometimes referred to as opening holes through the firewall. Such a controlled exception is required to allow VPN sessions to be established with the router. A firewall normally drops traffic from a remote site when it tries to establish a VPN connection. However, the firewall should allow incoming traffic to the VPN gateway. The traffic allowed by the firewall can be further restricted to allow traffic from known source IP addresses, such as from a remote office. It is important to limit access from the public Internet to the specific services deployed on the DMZ servers. The firewall allows traffic to a publicly accessible DMZ server, but it can still restrict traffic to the services that are deployed on a specific server, such as e-mail, HTTP, or DNS. When a DMZ server is deployed, the firewall must be configured to allow traffic to the IP address, protocol, and port applicable to the service running on the specific server.
Table B-3 Controlling Traffic by VPN Protocol
Firewall Is Configured to Allow Traffic Destined to VPN Protocol IPSecISAKMP IPSecESP IPSecNAT-T SSL VPN IP Address IPSec VPN gateway (WAN router) IPSec VPN gateway (WAN router) IPSec VPN gateway (WAN router) SSL VPN gateway (WAN router) Protocol UDP IP UDP TCP/UDP Layer 4 Port 500 50 4500 443
B-6
Appendix B
Network Security Mitigating DoS Attacks
Table B-4
Controlling Traffic by Network Application
Firewall is configured to allow traffic destined to Application E-mail server WWW server DNS server IP address Web server IP address DNS server IP address Layer 4 Protocol TCP TCP/UDP Layer 4 Port 25 80 53 E-mail server IP address TCP
Mitigating DoS Attacks

A firewall maintains the connection status of every TCP and UDP connection established through it. Each connection uses a small amount of the router memory and CPU. Although a router can normally handle many connections with ease, attackers may attack the router by rapidly establishing thousands of connections to a server through the firewall. The server may not be able to respond to all these requests, or the server may be non-existent. The result is a large number of half-open sessions that consume enough of the router memory and CPU to make it temporarily unable to forward network traffic. This kind of attack, where an attacker disables a network device by overwhelming its capacity, is known as a denial-of-service (DoS) attack. A good firewall provides protection against DoS attacks by doing the following:

Restricting the number of possible half-open sessions to a limit beyond which older half-open sessions are terminated Controlling the maximum time a half-open session can be alive Limiting the maximum rate of session requests
Many low-cost firewalls have these limits hard-coded and are non-configurable. It is recommended to select a router that offers the flexibility of changing these limits based on deployment requirements.
B-7
Appendix B Mitigating DoS Attacks
Network Security
B-8
A P P E N D I X
Virtual Private Network (VPN) for Secure Connectivity

The security of data transmitted between employees of a business over the public Internet is critical. This appendix describes Virtual private nNetwork (VPN) technology, which can help ensure the security of data transmitted over a shared public network. This appendix includes the following sections:

Overview, page C-1 Basic Cryptographic Procedures, page C-2 IPSec Technology, page C-4 Virtual Private Network for Small Businesses, page C-7
Overview
VPN technology is useful for any small business that has multiple locations that exchange information over the public Internet, or that has home offices or mobile workers who connect to the main office over the Internet. Securing data over a public network is a complex issue because the data may be intercepted by unauthorized devices, or it may get modified in transit. The security of data transmitted over a network involves three aspects:

Data confidentialityKeeping data secret from all but the intended destination. Data confidentiality is achieved by encrypting the data. Data integrityEnsuring that any modification of data is easily detected. Various hash techniques are used for maintaining data integrity. AuthenticityEstablishing proof of the identity of the receiver and sender, which prevents impersonation. Authentication ensures that the authorized source or destination device is sending or receiving the data. This is usually achieved by passwords or certificates.
The following section explains the basic cryptographic procedures for achieving data confidentiality, data integrity, and authentication that are provided by VPN technology. The subsequent two sections describe the most popular VPN technologies: IPSec and SSL VPN.
C-1
Appendix C Basic Cryptographic Procedures
Basic Cryptographic Procedures

This section provides a brief introduction to the various basic cryptographic technologies used by VPNs for confidentiality, integrity, and authentication. It includes the following topics:

Preshared Key, page C-2 RSA, page C-2 Cryptographic Hash Function, page C-2 Hash-Based Message Authentication Code, page C-3 X.509 Digital Certificate, page C-3 Diffie-Hellman Key Exchange, page C-3 Encryption, page C-4
Preshared Key
When using preshared (secret) keys, a string of letters, digits, and special characters is known only to source and destination. The preshared key can be used for a variety of purposes, such as an encryption key for data confidentiality, or to authenticate a network device. The weakness of preshared keys is the difficulty of securely sharing the key, and the related difficulty of keeping the key secret.
RSA
RSA is a public-key cryptographic algorithm that can be used to create a public key and a private key. The public key can be known to everyone and can be used for encrypting messages. Messages encrypted with the public key can be decrypted only using the private key. Typically a public key is publicly known, but the private key is kept secret. Anyone knowing your public key can encrypt a message that only you can decrypt with the secret private key. The main weakness of RSA is that it is significantly slower to compute compared to popular secret-key algorithms, such as DES or AES.
Cryptographic Hash Function

A cryptographic hash function is a procedure that converts a message of any size into a fixed-size bit string called a hash value. Any change in the message generates a different hash value, so if the hash value of a message is known, it is easy to detect any modification in the message. It is not possible to recreate the original message from the hash value, so this is called a one-way hash function. The most commonly used cryptographic hash functions are Secure Hash Algorithm 1 (SHA-1) and Message Digest 5 (MD5). These are used for ensuring data integrity, often in combination with other cryptographic procedures (see Hash-Based Message Authentication Code, page C-3). Both methods are very popular, and suitable for small business deployments, although SHA is likely to be more secure.
C-2
Appendix C
Virtual Private Network (VPN) for Secure Connectivity Basic Cryptographic Procedures
Hash-Based Message Authentication Code

Hash-Based Message Authentication Code (HMAC) defines a procedure that can ensure that a message transmitted has not been changed en route by performing the following:

Hashing a combination of the message and a secret key known to the destination using either MD-5 or SHA-1 Appending the hash value (message digest) to the message
The destination device produces its own version of the hash value from the message using the secret key it knows. If the calculated hash value matches the received hash value appended to the message, then the message has not been tampered with. This ensures data integrity. If the hash values match, it can be assumed that the secret key on both devices match as well, thus authenticating the sender to the receiver. Therefore HMAC can be used to ensure both message integrity and sender authentication. Depending on the actual hash function used (MD5 or SHA-1), the HMAC procedure is called either HMAC-MD5 or HMAC-SHA-1.
X.509 Digital Certificate

A X.509 digital certificate is used prove the credentials of a network device to another, or one organization to another. It is issued by a public or private certification authority (CA). The X.509 digital certificate, which is most commonly used, has specific content and format. It contains various pieces of information, including the following:

Name of the certificate holder Public key of the certificate holder Certificate expiry date Digital signature of the CA
The private key corresponding to the public key is not made public by the certificate holder. When a digital certificate is available to a network device, it can validate the correct identity of the certificate holder if it trusts the CA (verified by the digital signature of the CA). This is how an X.509 digital certificate provides authentication of a network device. A preshared key is an alternative to a digital certificate for establishing the identify of the sender or receiver. However, because preshared keys must be manually configured for each network device, administrative effort is high in large networks. However, a preshared key is quite suitable for a small business network, because it is simpler to implement and does not involve the cost of renewing a certificate every year.
Diffie-Hellman Key Exchange

Diffie-Hellman (D-H) key exchange is a public key cryptography protocol that allows any two network devices to establish an identical secure key on both devices, over an insecure network such as the Internet, even though the devices have not previously communicated. The secure key cannot be learned by eavesdropping on the data being exchanged between the devices. D-H key exchange is used by IPSec, SSL VPN, and many other common protocols/applications.
C-3
Appendix C IPSec Technology
This clever mechanism uses mathematical formulas involving a base prime number during the key exchange. D-H key exchange provides options for using different length base prime numbers. For example, DH Group 2 uses a length of 1024 bits, while DH Group 1 uses 768 bits. There are additional groups as well. DH group 2 is more secure than DH group 1, but both networking peers must use the same DH group. The shared key that is established by D-H key exchange can be used to encrypt traffic between the two network devices, but it requires such a high amount of computation that it is not used to encrypt regular traffic between the devices. Instead, the shared key is used to encrypt and transmit a simpler key that is then used to encrypt the traffic. The simpler key that is used to actually encrypt traffic can be based on any one of the following algorithms:

DES 3DES AES
These are described in the next section.
Encryption
Data encryption is used to maintain data confidentiality. The algorithms used for encrypting data are called ciphers. The sender encrypts the data using a secret key and transmits the encrypted data over the network. The receiver decrypts the data using the same secret key. A block cipher specifies the encryption and decryption algorithms to encrypt a fixed-size block of data in to a block of encrypted data of equal size. The decryption algorithm uses the same key to decrypt the encrypted data back to its original form. Three popular block ciphers are given below in the order of the level of security they provide:

Data Encryption Standard (DES)One of the oldest secret key encryption schemes, and offers the least security among the three block ciphers. Triple DESTriple Data Encryption Algorithm (TDEA) encrypts data three times. Advanced Encryption Standard (AES)Provides the option of using any one of three specific block ciphers, AES-128, AES-192 and AES-256. The number denote the key size in bits. AES encrypts and decrypts data in 128-bit block sizes.
It is recommended to use AES encryption whenever available, because it provides the best security among the block ciphers and is computationally more efficient as well.
IPSec Technology
IP Security Protocol (IPSec) is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers (network devices). It is one of the most widely used technologies for establishing VPNs over the Internet. IPSec can be used in transport mode to protect data flow between a pair of hosts, such as pair of PC/laptops, although this is not typical in a small business. Instead, IPSec tunnel mode offers data protection between a pair of security gateways, such as routers, or between a security gateway and a host, and is used in most VPNs. IPSec EncapsulationIPSec provides an option to encapsulate the data packets in one of two ways:
C-4
Appendix C
Virtual Private Network (VPN) for Secure Connectivity IPSec Technology
Encapsulating Security Payload (ESP)Provides data confidentiality and sender authentication. ESP is the most popular encapsulation used in IPSec VPNs, and is the recommended method for small business networks. Authentication Header (AH)Provides authentication only (no data confidentiality). Not typical in VPNs. Further, this does not work with NAT.
IPSec Session between two network devicesThe process of setting up an IPSec session between two network devices can be broadly divided into two steps.
IPSec First PhaseThe first phase performs the following:

The network devices authenticate each other using pre-shared key or digital certificate. Assuming that the two devices may support different cryptographic capabilities or policies such as encryption algorithms (DES, or AES, and so forth.), the network devices find out a common set of algorithms/procedures that can be used between them to secure data such as the encryption algorithm to use, and D-H group to use to establish the secret key for data encryption. The type of authentication, D-H group, and encryption method that a router can use is configured on the router as an IKE policy. This negotiation using the IKE policy is performed using a protocol known as Internet Key Exchange (IKE) protocol which is a specific form of the Internet Security Association and Key Management Protocol (ISAKMP). This step is said to establish an ISAKMP security association (SA) between the peers.
IPSec Second PhaseThe second phase of IPSec session establishment starts only after the ISAKMP SA is established. The keys and the encryption algorithms are negotiated by the ISAKMP session during the first phase. The next step is to use the negotiated keys and algorithms for actually encrypting and transferring the data. However, before it can be done, the following additional information is required:

The encapsulation format (ESP header or AH header to be used), and the hash method to use for message integrity check and authentication (HMAC-SHA, HMAC-MD5, and so forth.). The method that should be used by a network device is specified in the device by an administrator. This is commonly known as the IPSec Transform. The type of traffic that needs to be encrypted (not all traffic flowing between two peers may need encryption). For example, a WAN router may send traffic to another office location, as well as to the Internet. Although Internet traffic is not encrypted, traffic to the other office location requires encryption. The identity of the other end of the IPSec VPN session (typically its IP address).
The second phase establishes what is known as a pair of IPSec Security Associations (IPSec SAs) between the two peers, one IPSec SA for each direction of traffic flow. After the IPSec SAs are established, data is transferred in a secure way, until the SAs exist. Recommended IPSec attributes for Small Business networkTable C-1 summarizes the typically available and recommended options when configuring IKE and IPSec policies in a router. The user interface to configure these may vary among routers depending on the vendor. Some routers may assume certain default values that are not modifiable (possibly not visible).
C-5
Appendix C IPSec Technology
Table C-1
IPSec VPN Parameters
Function Encryption algorithm Hash algorithm Authentication method
IKE Policy Options DES, 3DES, or AES (AES is recommended). SHA or MD5 Pre-shared keys (strong) or RSA. Pre-shared is recommended for small businesses.
IPSec Policy Options DES, 3DES, or AES (AES is recommended). SHA or MD5 NA
Diffie-Hellman group for key exchange
Diffie-Hellman group 1 through 5 Using 2 or 5 is recommended.
NA
Security association (SA) A suitable value in seconds. lifetime. A new SA is negotiated for use after this time period. A short lifetime is more secure, but may increase VPN gateway workload Encapsulation method NA
NA
ESP or AH. ESP is recommended.
Note
Although the recommendations listed in this section are suitable for most deployments, it is important that any partner or customer compare these recommendations to an existing company security policy before implementing them. It is also important to determine whether the routers in the network can support the recommendations. IPSec configuration also needs to take in to consideration the following additional aspectsIPsec NAT TransparencyThe IPsec NAT Transparency (NAT-T) feature allows IP Security (IPsec) traffic to travel through a router that NATs (or PATs) the IP packets (otherwise, NAT may be incompatible with IPSec). In many routers NAT-T is automatically enabled if NAT is detected. Replay detectionThis allows a receiver of data over an IPSec connection to detect and reject old or duplicate packets. Such packets may occur during a replay attack where the attacker sends out older or duplicate packets to the receiving device, hoping that the receiver accepts the traffic as legitimate. Each IPSec packet in an IPSec connection carries a sequence number that is continuously increased by the sender as packets are sent out. A replay attack is detected by the receiver when it finds a break in the sequence number. To help check a break in packet sequence, the router has a buffer, the replay window, to store packet details of several packets. Some routers allow the size of the replay window to be set by the administrator, while the lower end routers assume a fixed value.
C-6
Appendix C
Virtual Private Network (VPN) for Secure Connectivity Virtual Private Network for Small Businesses
Virtual Private Network for Small Businesses

A small business typically supports the following types of VPNs:

IPSec sitre-to-site VPN for secure connection with remote offices IPSec-based remote access VPN for home office or mobile workers SSL VPN for mobile worker
Each of the three types of VPNs are described below.
IP Sec Site-to-Site VPN for Remote Office

IPSec Site to site VPNs are suitable for secure connectivity between two business locations, such as a main office and a remote office. Additional remote offices can be added as spokes to the main office, which acts as the VPN hub. Each such remote office needs appropriate IPSec configuration on the hub router. As the main office WAN router needs to be configured every time a new remote office is added, or removed, the administrative efforts for IPSec site to site VPN increase significantly with larger number of remote offices as found in large enterprises. However, IPSec site to site VPN is very suitable for small businesses having a main office and a few remote offices.
IPSec Remote Access VPN for Home Office and Mobile Workers
When the IP address of the remote location is not known, as in the case of a home office or a mobile worker whose WAN IP address may change, site to site IPSec VPN is not possible. In addition, as the number of home offices and/or mobile workers increase, updating the IPSec configuration of the main office router every time an employee joins, leaves, or moves would have a high impact on network administration. An IPSec remote access VPN is suitable in such cases. IPSec Remote Access VPN replaces the peer authentication with authentication of a group of employees who share the same key. This requires the configuration of a group profile on the hub router. In addition, each user is also individually authenticated via a protocol known as the XAUTH protocol. IPSec remote access VPN can be established between the main office WAN router and the mobile workers laptop or the home office router. The laptop needs to install an IPSec Remote access VPN client software available from the vender. IPSec remote access VPN implementation is non-standard; client of one vender will not work with another venders hub router.
SSL VPN for Mobile Worker

Unlike IPSec Remote Access VPN, SSL VPN uses secure socket layer (SSL), a standardized protocol, so there is better inter-vendor operability. SSL protocol allows secure web browsing. However, unlike IPSec that encrypts IP packets, SSL VPN encrypts only TCP packets. Hence it cant be used to support applications that use non-TCP protocols without additional enhancements. SSL VPN has become quite popular to support mobile workers. Before describing how SSL VPN works, it would be worthwhile to see how the underlying secure socket layer protocol (SSL) works.
1.
A browser requests a web page using HTTPS protocol (such as https://www.cisco.com)
C-7
Appendix C Virtual Private Network for Small Businesses
2. 3. 4. 5. 6. 7.
The web server responds to this by sending its certificate that has its public key. The browser verifies the certificate to ensure the authenticity of the web server The browser encrypts a random encryption key using the web servers public key. It also encrypts the required URL using the encryption key. It then sends both to the web server. The web server, using its private key, decrypts the received encryption key, and uses the key to decrypt the URL and associated data Next web server encrypts the requested html document with the key, and sends it to the browser. The browser can decrypt the html document using the key and displays the information.
In SSL VPN, a SSL VPN gateway device is inserted between the browser and the target web server. The browser forwards all web traffic to the SSL VPN gateway using Secure Socket Layer for data confidentiality. The SSL VPN gateway retrieves the original web request from the received data and appropriately forms and forwards another HTTP request to the real target web server on behalf of the browser. It also forwards the response back to the browser. Thus the SSL VPN gateway acts as a proxy for the actual web servers. The SSL protocol ensures data confidentiality and end point authentication. SSL VPN can only access browser based applications using TCP protocols. However, using client software, SSL VPN can be used to access any TCP and non-TCP application. The configuration of SSL uses many of the basic cryptographic procedures described earlier, and they are not repeated here. Table C-2 provides a comparison between IPSec Remote Access VPN and SSL VPN to help identify the suitability of one over the other depending on deployment needsTable C-2 Comparison of IPSec and SSL VPN Technology
IPSec Remote Access VPN Implementation is not a standard. Vendor-interoperability not typical
SSL VPN
Remark
Standard implementation. However, venders typically Vender inter-operability possible enhance SSL VPN for additional for basic SSL VPN features such as accessing all applications via SSL; in such cases vender interoperability is not guarantied. Works for only TCP applications Non standard SSL VPN implementation allows access to all applications Only supported from an end user laptop/PC (mobile worker) No client is necessary. A browser Non standard SSL VPN can be used to establish SSL implementation that allows VPN session access to all applications requires a client
Works for any IP based applications Can be between a router (home office) and a hub Laptop needs a client
Authentication can be done with Authentication with certificate either pre-shared key or only certificate
C-8
INDEX
Numerics
1000BASE-FX 1000BASE-LX 1000BASE-SX 1000BASE-T 100BASE-T 10BASE-T 802.1x 802.1q trunks
5-9, 7-3 3-4 3-4 3-9 3-4 3-4 3-4 3-4
block cipher BPDU

3-10
C-4
Broadcast
3-12 3-8 3-5 3-5
broadcast domain
broadcast MAC address Broadcast transmission
C
CA
C-3 6-3
call admission control
A
AAA server access layer access mode AES
C-4 5-2 5-2 5-9 5-2 3-8
call control Category 3 Category 5 CCMP ciphers

7-3
6-3 3-4 3-4
characters
C-4
2-1
aggregation layer aggregation switch AH AP

C-5 7-1
Class-based weighted fair queuing classes of networks CLI

5-17 3-5 3-16 3-16 3-13
6-3, A-5
collision domain
2-6 1-8
application layer ARP ASCII

4-3 2-1, 2-6
connectionless Content filtering convergence
Application servers
connection-oriented
3-10
5-12
ASN.1 standard Authenticity

C-1
2-6
core layer CoS

A-2
5-2
Autonegotiation
5-5
CSMA/CD
3-5
B
BGP bits
4-2 2-1
D
Data confidentiality Data integrity
C-1 C-1
IN-1
Index
data link layer data packet DDNS

4-6
2-5
FQDN
4-5 5-4, 5-7
3-12
full-duplex
decapsulation default route Delay

A-1
2-4 4-2, 4-3
G
Gigabit Ethernet
5-4
Delay variation Denial of Service DES DHCP

C-4 1-8, 4-4
A-1 B-7
GLBP
5-13 4-4
gratuitous ARP Guest access GUI

5-17
5-11, 7-2
Diffie-Hellman digital certificate DMZ DNS DSCP DSL

B-3 4-5
C-3 C-3
H
half-duplex
3-11 5-4 C-2 2-2 A-7
dotted decimal format

A-2 1-7 4-2
hash value hexadecimal
Hierarchical Queuing High Availability HMAC

C-3 1-4 5-7
dynamic routing
E
EAP EIGRP
7-3 2-2, 2-6 4-2 2-4 3-4
Home Office hops HSRP hub

4-2 5-13 3-6
EBCDIC
encapsulation error detection ESP

C-5
I
ICMP
5-18 7-3
EtherChannel Ethernet switch
5-7 2-5
IEEE 802.1X IGMP IGRP
Ethernet MAC address

3-6
3-14, 5-5 5-5
IGMP snooping
4-2 C-5
F
Fast Ethernet Fiber cable filtering flooding First Phase flow control
3-4, 5-4 3-4
IKE
inter-VLAN routing IP address IP header IPSec

2-3
5-6
3-11 4-4
IP address pools
3-11
5-11, 5-12 C-5
IP Precedence
C-4
A-2
3-7
IP telephony
6-1
IN-2
Index
IPv4 IPv6 ISDN IS-IS ITU-T
3-11 3-11 C-5
N
name servers NAT
5-13 3-8 5-16 C-6 3-13 4-6
ISAKMP
1-7 4-2 2-3
native VLAN NAT Overload
NAT Transparency
Network Address Classes
J
jitter
6-2, A-1
network ID network layer
3-13 1-8
Network infrastructure servers

2-5 5-17
L
LAN
3-3 3-5 4-2 4-2
Network management network mask

3-15
next hop IP address
4-2
LAN performance layer 2 forwarding layer 3 forwarding layer 3 switch lease

4-4 5-5
O
one-way hash function OSI
2-3 4-2 C-2
Link aggregation
5-7, 5-12 1-6 B-5
OSPF
Local Area Network Local-services zone logical switch

5-7
P
3-10
loop-free LAN topology Low Latency Queuing
packet
3-12 6-2 6-2, A-1
A-6
packet delay packet loss PAT

5-16 4-2 3-11 7-3
M
MAC address Main Office Marking MD5
C-2 C-3 1-4 A-3 2-5, 3-4 1-3 5-5
path cost payload PEAP
managed switch
physical layer Ping command PoE

5-6, 6-1
2-4 5-18
message digest Mobile Worker multicast
Point-to-Point Protocol port numbers PPPoA PPPoE

5-10 5-10 A-6 2-6 3-17
5-10
3-5, 3-12, 5-5 3-6
multi-port repeater
PQ/CBWFQ
presentation layer
IN-3
Index
Priority queuing protocol stack Proxy ARP PSTN PVST

1-8 4-4
6-3, A-6 3-14
SNMP
5-18 1-4 5-11
private IP addresses
2-3
softphone SRR SSL

6-3 C-8
Spam blocking
public IP addresses
3-10
3-14
SSL VPN stack

2-3
C-8
star topology
3-6 B-3
Q
QoS
5-6, 5-12, 6-1, A-1 A-5
stateful packet inspection. static route STP switch

3-9 1-6, 3-6 3-8 5-7 5-18 4-2
queuing scheduler
switch port
R
RADIUS
1-8, 5-9 3-10 5-12
Switch Stack syslog servers
Rapid PVST Remote Office replay attack RIP router RSTP RTSP
4-2
Redundant WAN Links

1-3 C-6
T
T1/E1 TCP
1-7 2-5, 3-17 3-1 C-4 7-3 7-3 3-6
RFC 1918 addresses

1-7, 3-11 4-1
3-14
TCP/IP TDEA TKIP TLS ToS
routing protocol
3-10 B-5
topology
3-12
traffic classes
5-6, 6-2
S
SAs
C-5 C-5 C-4
Transform
C-5 2-5 C-4
transport layer transport mode Triple DES trunk mode TTLS

2-6 7-3 C-4 3-8
Second Phase segment Self zone SHA-1 shaping SIP

5-16 3-5 B-5
security gateways
tunnel mode
C-4
session layer
C-2
Shaped Round Robin

A-4
A-5
U
UDP
2-5, 3-17 3-12
Unicast
IN-4
Index
Unicast transmission unmanaged switch UPnP

5-18 5-11
3-5 6-3
Unified Communication Manager Server

5-5
URL filtering
V
VLANs VPN
3-7
C-1 C-6
VPN Parameters VPN zone VRRP

5-13 B-5
W
WAN
1-7 5-9 A-7
WAN router
Weighted Random Early Detection Weighted Round Robin WEP

7-3 1-7, 7-1 A-5
wireless access point Wireless LAN

1-7
wireless LAN controller wiring closet switches WLAN WMM WPA WRR
7-1 7-2 7-3 6-3
1-7, 7-2 7-2
Wireless Multimedia Extensions

5-2
X
X.509 digital certificate XAUTH
C-7 C-3
IN-5
Index
IN-6

SmartDesign Network Primer

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SmartDesign Network Primer

Uploaded by

Copyright:

Available Formats

Smart Designs

Networking Primer for Small Businesses

Obtaining Documentation, Obtaining Support, and Security Guidelines

1-1 1-1 1-3

Business Locations of a Small Business Network

Small Business Network Architecture and Components

Data Communication in a Computer Network Data Representation and Transfer

TCP/IP Protocol Suite

Network Primer for Small Businesses

Network Primer for Small Businesses

IP Telephony Infrastructure Voice-Specific VLAN

Network Primer for Small Businesses

Power over Ethernet

6-1 6-1 6-3

Quality of Service for IP Telephony Unified Communication Management

Infrastructure Requirement for Wireless LAN Overview

WLAN Security 7-3 Authentication 7-3 Data Encryption 7-3

Quality of Service Overview

Traffic Classification Traffic Marking Traffic Policing Traffic Shaping Queuing

QoS in a WAN Router

Allowing Specific Traffic Types through the Firewall

Virtual Private Network (VPN) for Secure Connectivity Overview

Network Primer for Small Businesses

Secure connectivity Investment protection using a layered architecture

Network Primer for Small Businesses

Chapter 6: IP Telephony Infrastructure

Chapter 7: Wireless LAN Infrastructure

Appendix A: Quality of Service Appendix B: Network Security

Appendix C: Virtual Private Networks for Secure Connectivity

Network Primer for Small Businesses

Related SNF Documentation

Network Primer for Small Businesses Introduction to Networking Concepts

Network Primer for Small Businesses

Implementation Guide For network implementers (network designers)

Solution Bill of Materials For network implementers (network designers)

Application Note For network implementers (network designers)

Application Note For network implementers (network designers)

Obtaining Documentation, Obtaining Support, and Security Guidelines

Network Primer for Small Businesses

Computer Networks and their Advantages

Network Primer for Small Businesses

Chapter 1 Computer Networks and their Advantages

Network Primer for Small Businesses

Overview Business Locations of a Small Business Network

Business Locations of a Small Business Network

Broadband or WAN connection to internet

Network Primer for Small Businesses

Chapter 1 Business Locations of a Small Business Network

Small Business Network

Via WAN or internet Remote office

Main office WAN / Internet

Network Primer for Small Businesses

Mobile worker (either on road, or at home)

Overview Computer Network for a Small Business

Computer Network for a Small Business

Low cost Simple deployment Minimal administrative overhead

Network Primer for Small Businesses

Chapter 1 Small Business Network Architecture and Components

Small Business Network Architecture and Components

To internet or Wide Area Network (WAN)

To internet or Wide Area Network (WAN)

WAN router LAN switch Local Area Network

WAN router LAN switch Local Area Network LAN switches